Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT copy.29112022.Pdf.exe

Overview

General Information

Sample Name:SWIFT copy.29112022.Pdf.exe
Analysis ID:756157
MD5:5f400bae896422a69db460a4507fd657
SHA1:e90b7c431d34b39bef8492de7fb987f51c3fb804
SHA256:d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SWIFT copy.29112022.Pdf.exe (PID: 5752 cmdline: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe MD5: 5F400BAE896422A69DB460A4507FD657)
    • SWIFT copy.29112022.Pdf.exe (PID: 6072 cmdline: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe MD5: 5F400BAE896422A69DB460A4507FD657)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x306fa:$a3: MailAccountConfiguration
      • 0x30713:$a5: SmtpAccountConfiguration
      • 0x306da:$a8: set_BindingAccountConfiguration
      • 0x2f670:$a11: get_securityProfile
      • 0x2f511:$a12: get_useSeparateFolderTree
      • 0x30e6c:$a13: get_DnsResolver
      • 0x2f920:$a14: get_archivingScope
      • 0x2f748:$a15: get_providerName
      • 0x31e33:$a17: get_priority
      • 0x3140a:$a18: get_advancedParameters
      • 0x30814:$a19: get_disabledByRestriction
      • 0x2f2ea:$a20: get_LastAccessed
      • 0x2f9ba:$a21: get_avatarType
      • 0x31521:$a22: get_signaturePresets
      • 0x2ffb9:$a23: get_enableLog
      • 0x2f7c5:$a26: set_accountName
      • 0x3196c:$a27: set_InternalServerPort
      • 0x2ec84:$a28: set_bindingConfigurationUID
      • 0x314e7:$a29: set_IdnAddress
      • 0x31ce7:$a30: set_GuidMasterKey
      • 0x2f820:$a31: set_username
      00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2e5b5:$s1: get_kbok
              • 0x2eef8:$s2: get_CHoo
              • 0x2fb52:$s3: set_passwordIsSet
              • 0x2e3b9:$s4: get_enableLog
              • 0x32a28:$s8: torbrowser
              • 0x31404:$s10: logins
              • 0x30d7c:$s11: credential
              • 0x2d7d5:$g1: get_Clipboard
              • 0x2d7e3:$g2: get_Keyboard
              • 0x2d7f0:$g3: get_Password
              • 0x2ed97:$g4: get_CtrlKeyDown
              • 0x2eda7:$g5: get_ShiftKeyDown
              • 0x2edb8:$g6: get_AltKeyDown
              0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2eafa:$a3: MailAccountConfiguration
              • 0x2eb13:$a5: SmtpAccountConfiguration
              • 0x2eada:$a8: set_BindingAccountConfiguration
              • 0x2da70:$a11: get_securityProfile
              • 0x2d911:$a12: get_useSeparateFolderTree
              • 0x2f26c:$a13: get_DnsResolver
              • 0x2dd20:$a14: get_archivingScope
              • 0x2db48:$a15: get_providerName
              • 0x30233:$a17: get_priority
              • 0x2f80a:$a18: get_advancedParameters
              • 0x2ec14:$a19: get_disabledByRestriction
              • 0x2d6ea:$a20: get_LastAccessed
              • 0x2ddba:$a21: get_avatarType
              • 0x2f921:$a22: get_signaturePresets
              • 0x2e3b9:$a23: get_enableLog
              • 0x2dbc5:$a26: set_accountName
              • 0x2fd6c:$a27: set_InternalServerPort
              • 0x2d084:$a28: set_bindingConfigurationUID
              • 0x2f8e7:$a29: set_IdnAddress
              • 0x300e7:$a30: set_GuidMasterKey
              • 0x2dc20:$a31: set_username
              0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 23 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: SWIFT copy.29112022.Pdf.exeReversingLabs: Detection: 73%
                Source: SWIFT copy.29112022.Pdf.exeVirustotal: Detection: 30%Perma Link
                Machine Learning detection for sample
                Source: SWIFT copy.29112022.Pdf.exeJoe Sandbox ML: detected
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Veqz.pdb source: SWIFT copy.29112022.Pdf.exe

                Networking

                barindex
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MBStZn.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257939001.0000000006113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.A
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253632184.00000000060EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255068805.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254516942.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254933421.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254821011.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254466136.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254991909.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comams
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comand
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comce
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comcin
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comd
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comexc
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253804133.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comf
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comits
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comont
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comsig
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255750448.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255693586.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255516044.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256346314.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256544652.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255635634.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255461197.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255970374.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255320276.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256649188.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comtig
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comw.m
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259693042.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257911788.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257560437.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257499785.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257336197.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257812332.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257867723.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257765651.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257891265.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257388371.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257305464.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257433913.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257374815.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265995122.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.266070435.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258022793.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258710516.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258780346.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259946306.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259985359.0000000006105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comL.TTF
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM95
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comW8
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comas
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcoma
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf9
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionF
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiva
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttoF
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com//w
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comjat
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251406146.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comw.m
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253405708.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.ce
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253426143.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.ck;
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253357265.00000000060EA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ei
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253366138.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253347704.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/M95
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261586821.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261709013.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261757335.0000000006104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQ
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255829393.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255925563.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256145848.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?9g
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M95
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W8
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Xx
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nf9
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i9
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W8
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i9
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t9
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261539461.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.UC
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comalv
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comegr
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251160398.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251206432.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251041022.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comof
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comria
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comu
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255401180.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255308698.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255250069.00000000060E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comf
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255282999.0000000006114000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255224533.0000000006113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comrm
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254124405.00000000060E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comicf
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn=
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.521371650.00000000031F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: SWIFT copy.29112022.Pdf.exe
                .NET source code contains very large array initializations
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA23A83EAu002dA498u002d4AEFu002dBB16u002dCCD2EDE07471u007d/A33BCC3Du002d23D1u002d407Du002d9507u002d8DF915F9F7E3.csLarge array initialization: .cctor: array initializer size 11775
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E607980_2_02E60798
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E651B80_2_02E651B8
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E607890_2_02E60789
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E604E80_2_02E604E8
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E604F80_2_02E604F8
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_02E6856A0_2_02E6856A
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_0552F0D00_2_0552F0D0
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_0552F0BF0_2_0552F0BF
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_05524E940_2_05524E94
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_055268700_2_05526870
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_055268600_2_05526860
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_07992BE00_2_07992BE0
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_079E96880_2_079E9688
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_079E00060_2_079E0006
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_079E00400_2_079E0040
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_030146A01_2_030146A0
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_030146731_2_03014673
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_030146901_2_03014690
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_030145B01_2_030145B0
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_0301D9801_2_0301D980
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_064269281_2_06426928
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_064294F81_2_064294F8
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_064275401_2_06427540
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_06426C701_2_06426C70
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.272914164.0000000003061000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.273116142.00000000030A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.273116142.00000000030A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.284983154.00000000043E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.514468515.0000000001158000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000000.269854347.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exeBinary or memory string: OriginalFilenameVeqz.exe< vs SWIFT copy.29112022.Pdf.exe
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SWIFT copy.29112022.Pdf.exeReversingLabs: Detection: 73%
                Source: SWIFT copy.29112022.Pdf.exeVirustotal: Detection: 30%
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT copy.29112022.Pdf.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.521706336.000000000323E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SWIFT copy.29112022.Pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.csCryptographic APIs: 'CreateDecryptor'
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: Veqz.pdb source: SWIFT copy.29112022.Pdf.exe

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 0_2_0552FA40 push ecx; ret 0_2_0552FA55
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_0642A61F push es; iretd 1_2_0642A63C
                Source: SWIFT copy.29112022.Pdf.exeStatic PE information: 0xCCE2C364 [Sun Dec 4 21:00:20 2078 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.826301761256588
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/m1DBkvhxrLDaHx1aXT.csHigh entropy of concatenated method names: '.ctor', 'lAKyLsrRhI', 'sSxyIq1RUv', 'TIEyRgA8he', 'EDVyJvgQLA', 'cmMysasnQa', 'SUpyc1swaZ', 'sp1yfegApt', 'AXyyMY8Ym9', 'Vb8y7lJ0JH'
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/sgwhL7yPnX3HUGMulo.csHigh entropy of concatenated method names: '.ctor', 'vufeSgEDN', 'd2PyZNpa8', 'X8g0whL7P', 'SX3UHUGMu', 'soBEio8ZQ', 'VLao7BuEs', 'jG9hvZuqc', 'S5IOiwHg0', 'zxOvTO6fq'
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/JDFqGQB9MWV7DxvSyy.csHigh entropy of concatenated method names: 'UWnEXGFEt6', 'wywEu5nt55', 'tZnEFrY9Xk', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'Gk9brofdW3JVOyMxC0', 'D6VIZXhjRciYkY6W7W', 'oCSJ2HngYZuZZJ20K4', 'cuhv40Oh3jObu7a900'
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.csHigh entropy of concatenated method names: '.cctor', 'zStkhPpmy9vIW', 's2iUV5ZbJu', 'cXxUrYOsWd', 'JofUHo9own', 'uo4UxdRRlV', 'XBKUAqwvx4', 'HJYUKiiDl2', 'unAUaf33N0', 'uxJUw6R1mw'
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 5772Thread sleep time: -38122s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 6024Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 3092Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 5008Thread sleep count: 9859 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeWindow / User API: threadDelayed 9859Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeThread delayed: delay time: 38122Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.csReference to suspicious API methods: ('iQMUDn1xkD', 'GetProcAddress@kernel32'), ('PGXUSgASJk', 'LoadLibrary@kernel32')
                Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeMemory written: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeProcess created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeCode function: 1_2_06425D44 GetUserNameW,1_2_06425D44

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.521412516.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.521412516.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Native API                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                Software Packing                		DCSync114
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SWIFT copy.29112022.Pdf.exe73%ReversingLabsWin32.Trojan.Leonem
                SWIFT copy.29112022.Pdf.exe30%VirustotalBrowse
                SWIFT copy.29112022.Pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.sakkal.comrm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Verd0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.fontbureau.comas0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.fontbureau.com.TTF0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.carterandcone.comtig0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.carterandcone.comf0%URL Reputationsafe
                http://www.fontbureau.comcoma0%URL Reputationsafe
                http://www.carterandcone.comd0%URL Reputationsafe
                http://www.fonts.comjat0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.fontbureau.comionF0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.carterandcone.comams0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/?9g0%Avira URL Cloudsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.founder.com.cn/cnf0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.comsiva0%URL Reputationsafe
                http://www.carterandcone.comexc0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comL.TTF0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.fontbureau.como0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Xx0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/i90%Avira URL Cloudsafe
                http://www.sakkal.comf0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/i90%Avira URL Cloudsafe
                http://www.galapagosdesign.com/M950%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Y0nf90%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/W80%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/t90%Avira URL Cloudsafe
                http://www.sajatypeworks.comegr0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/M950%Avira URL Cloudsafe
                http://www.agfamonotype.A0%Avira URL Cloudsafe
                http://www.carterandcone.comont0%Avira URL Cloudsafe
                http://MBStZn.com0%Avira URL Cloudsafe
                http://www.sajatypeworks.comria0%Avira URL Cloudsafe
                http://www.zhongyicts.com.cn=0%Avira URL Cloudsafe
                http://www.carterandcone.comsig0%Avira URL Cloudsafe
                http://www.carterandcone.comcin0%Avira URL Cloudsafe
                http://www.monotype.UC0%Avira URL Cloudsafe
                http://www.carterandcone.comits0%Avira URL Cloudsafe
                http://www.fontbureau.comW80%Avira URL Cloudsafe
                http://www.carterandcone.comw.m0%Avira URL Cloudsafe
                http://www.founder.ce0%Avira URL Cloudsafe
                http://www.fontbureau.comttoF0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htmQ0%Avira URL Cloudsafe
                http://www.sajatypeworks.comu0%Avira URL Cloudsafe
                http://www.sajatypeworks.comalv0%Avira URL Cloudsafe
                http://www.tiro.comicf0%Avira URL Cloudsafe
                http://www.fontbureau.comf90%Avira URL Cloudsafe
                http://www.sajatypeworks.comof0%Avira URL Cloudsafe
                http://www.fontbureau.comM950%Avira URL Cloudsafe
                http://www.fonts.comw.m0%Avira URL Cloudsafe
                http://www.carterandcone.comce0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/ei0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.sakkal.comrmSWIFT copy.29112022.Pdf.exe, 00000000.00000003.255282999.0000000006114000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255224533.0000000006113000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comjatSWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersSWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259693042.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257911788.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/XxSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/VerdSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comasSWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cTheSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/i9SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersersSWIFT copy.29112022.Pdf.exe, 00000000.00000003.258022793.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/?9gSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sakkal.comfSWIFT copy.29112022.Pdf.exe, 00000000.00000003.255401180.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255308698.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255250069.00000000060E6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/i9SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.htmlSWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com.TTFSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.org%SWIFT copy.29112022.Pdf.exe, 00000001.00000002.521371650.00000000031F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		low
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSWIFT copy.29112022.Pdf.exe, 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comtigSWIFT copy.29112022.Pdf.exe, 00000000.00000003.255750448.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255693586.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255516044.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256346314.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256544652.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255635634.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255461197.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255970374.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255320276.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256649188.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/M95SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0nf9SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/t9SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comfSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253804133.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comcomaSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comdSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comegrSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/W8SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/M95SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comlSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.carterandcone.comontSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.agfamonotype.ASWIFT copy.29112022.Pdf.exe, 00000000.00000003.257939001.0000000006113000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://MBStZn.comSWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sajatypeworks.comriaSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comionFSWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comsigSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.zhongyicts.com.cn=SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/cabarga.html/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comcinSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.comamsSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255068805.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254516942.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254933421.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254821011.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254466136.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254991909.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.com//wSWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.monotype.UCSWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261539461.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comW8SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersZSWIFT copy.29112022.Pdf.exe, 00000000.00000003.257433913.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257374815.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designershSWIFT copy.29112022.Pdf.exe, 00000000.00000003.258710516.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258780346.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/staff/dennis.htmSWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comw.mSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comitsSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designerseSWIFT copy.29112022.Pdf.exe, 00000000.00000003.265995122.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.266070435.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.ceSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253405708.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.ipify.org%GETMozilla/5.0SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://www.fontbureau.com/designersvSWIFT copy.29112022.Pdf.exe, 00000000.00000003.259946306.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259985359.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comttoFSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnfSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253366138.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253347704.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmQSWIFT copy.29112022.Pdf.exe, 00000000.00000003.261586821.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261709013.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261757335.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.comSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comsivaSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253632184.00000000060EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.carterandcone.comexcSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSSWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comFSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comuSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comf9SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comicfSWIFT copy.29112022.Pdf.exe, 00000000.00000003.254124405.00000000060E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comL.TTFSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comaSWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comdSWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comalvSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sajatypeworks.comofSWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251160398.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251206432.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251041022.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNSWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253357265.00000000060EA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlSWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255829393.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255925563.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256145848.00000000060DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fonts.comw.mSWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251406146.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comoSWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comM95SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comceSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn/eiSWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257560437.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257499785.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257336197.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257812332.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257867723.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257765651.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257891265.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257388371.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257305464.0000000006104000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      No contacted IP infos

                                                      General Information

                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:756157
                                                      Start date and time:2022-11-29 18:24:07 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 7m 49s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:SWIFT copy.29112022.Pdf.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@0/0
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 96%
                                                      • Number of executed functions: 75
                                                      • Number of non-executed functions: 13
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      18:25:10API Interceptor708x Sleep call for process: SWIFT copy.29112022.Pdf.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT copy.29112022.Pdf.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.8190439753914545
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:SWIFT copy.29112022.Pdf.exe
                                                      File size:763392
                                                      MD5:5f400bae896422a69db460a4507fd657
                                                      SHA1:e90b7c431d34b39bef8492de7fb987f51c3fb804
                                                      SHA256:d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
                                                      SHA512:7e54192c570d2a7fe7700d69bd782173dfe41dc102afceffbda47207d4bfcb80783f7c70bf9666e287ccbcf413bf482aeb321fe559ba7b75ae43416b0feee643
                                                      SSDEEP:12288:ZYn2P8Ai1FDasqS6/0kz0z63eR7J/ZmhOQQVvedp:qn20t1Ffl+0kzAttq62
                                                      TLSH:83F4F1BEF2EA8F12C69415F2C0D2DE3403F69683A976E75B294102D94E437E18CD67C6
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.................0.............>.... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4bbb3e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0xCCE2C364 [Sun Dec 4 21:00:20 2078 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xbbaf00x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x5b8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xbbaa70x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xb9b440xb9c00False0.899130162769179data7.826301761256588IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xbc0000x5b80x600False0.4283854166666667data4.110542837134713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xbe0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0xbc0a00x32cdata
                                                      RT_MANIFEST0xbc3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      No network behavior found

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:18:25:00
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                                                      Imagebase:0xc50000
                                                      File size:763392 bytes
                                                      MD5 hash:5F400BAE896422A69DB460A4507FD657
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low

                                                      General

                                                      Target ID:1
                                                      Start time:18:25:11
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
                                                      Imagebase:0xd00000
                                                      File size:763392 bytes
                                                      MD5 hash:5F400BAE896422A69DB460A4507FD657
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.521412516.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:low

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.4%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:3.1%
                                                        Total number of Nodes:223
                                                        Total number of Limit Nodes:9
                                                        execution_graph 25533 7990919 25534 79905dd 25533->25534 25535 7990931 25534->25535 25538 79e83e8 25534->25538 25539 79e8430 WriteProcessMemory 25538->25539 25541 79905fe 25539->25541 25703 15dd01c 25704 15dd034 25703->25704 25705 15dd08e 25704->25705 25710 55285a2 25704->25710 25714 5529298 25704->25714 25722 5528004 25704->25722 25730 55285b0 25704->25730 25711 55285d6 25710->25711 25712 5528004 CallWindowProcW 25711->25712 25713 55285f7 25712->25713 25713->25705 25717 55292d5 25714->25717 25715 5529309 25744 552812c 25715->25744 25717->25715 25718 55292f9 25717->25718 25734 5529430 25718->25734 25739 5529420 25718->25739 25719 5529307 25723 552800f 25722->25723 25724 5529309 25723->25724 25726 55292f9 25723->25726 25725 552812c CallWindowProcW 25724->25725 25727 5529307 25725->25727 25728 5529430 CallWindowProcW 25726->25728 25729 5529420 CallWindowProcW 25726->25729 25728->25727 25729->25727 25731 55285d6 25730->25731 25732 5528004 CallWindowProcW 25731->25732 25733 55285f7 25732->25733 25733->25705 25736 5529433 25734->25736 25735 55294d0 25735->25719 25748 55294d7 25736->25748 25751 55294e8 25736->25751 25741 552942a 25739->25741 25740 55294d0 25740->25719 25742 55294d7 CallWindowProcW 25741->25742 25743 55294e8 CallWindowProcW 25741->25743 25742->25740 25743->25740 25745 5528137 25744->25745 25746 552aa4a CallWindowProcW 25745->25746 25747 552a9f9 25745->25747 25746->25747 25747->25719 25749 55294f9 25748->25749 25754 552a981 25748->25754 25749->25735 25752 55294f9 25751->25752 25753 552a981 CallWindowProcW 25751->25753 25752->25735 25753->25752 25755 552812c CallWindowProcW 25754->25755 25756 552a99a 25755->25756 25756->25749 25757 7991258 25758 79913e3 25757->25758 25759 799127e 25757->25759 25759->25758 25764 5528640 SetWindowLongW 25759->25764 25766 552863a 25759->25766 25769 79914d8 PostMessageW 25759->25769 25771 79914d0 PostMessageW 25759->25771 25765 55286ac 25764->25765 25765->25759 25767 5528640 SetWindowLongW 25766->25767 25768 55286ac 25767->25768 25768->25759 25770 7991544 25769->25770 25770->25759 25772 7991544 25771->25772 25772->25759 25773 5523d90 GetCurrentProcess 25774 5523e0a GetCurrentThread 25773->25774 25777 5523e03 25773->25777 25775 5523e40 25774->25775 25776 5523e47 GetCurrentProcess 25774->25776 25775->25776 25778 5523e7d 25776->25778 25777->25774 25779 5523ea5 GetCurrentThreadId 25778->25779 25780 5523ed6 25779->25780 25542 7990b9d 25546 79911c8 25542->25546 25550 79911bb 25542->25550 25543 79901fd 25547 79911dd 25546->25547 25555 79e8160 25547->25555 25551 7991143 25550->25551 25552 79911c2 25550->25552 25551->25543 25554 79e8160 SetThreadContext 25552->25554 25553 79911f3 25553->25543 25554->25553 25556 79e81a5 SetThreadContext 25555->25556 25558 79911f3 25556->25558 25558->25543 25798 799017d 25799 7990183 25798->25799 25802 79e8700 25799->25802 25803 79e8789 CreateProcessA 25802->25803 25805 79e894b 25803->25805 25666 55283f8 25667 5528460 CreateWindowExW 25666->25667 25669 552851c 25667->25669 25669->25669 25806 5523fb8 DuplicateHandle 25807 552404e 25806->25807 25808 79904f3 25810 79e8160 SetThreadContext 25808->25810 25809 799050d 25810->25809 25559 7990694 25560 79906a5 25559->25560 25563 79e82f8 25560->25563 25564 79e8338 VirtualAllocEx 25563->25564 25566 7990dfe 25564->25566 25567 2e659e8 25568 2e65a04 25567->25568 25577 2e619a8 25568->25577 25570 2e65a2c 25571 2e619a8 CreateActCtxA 25570->25571 25572 2e65a3b 25571->25572 25573 2e619a8 CreateActCtxA 25572->25573 25574 2e65a11 25573->25574 25581 2e651b8 25574->25581 25576 2e65a7a 25578 2e619b8 25577->25578 25579 2e619c8 25578->25579 25589 2e65b98 25578->25589 25579->25570 25582 2e651c3 25581->25582 25583 2e619a8 CreateActCtxA 25582->25583 25584 2e6eb41 25583->25584 25585 2e619a8 CreateActCtxA 25584->25585 25586 2e6eb4f 25585->25586 25606 2e67160 25586->25606 25588 2e6ed2d 25588->25576 25590 2e65ba5 25589->25590 25594 2e65c88 25590->25594 25598 2e65c98 25590->25598 25595 2e65c98 25594->25595 25597 2e65d9c 25595->25597 25602 2e6585c 25595->25602 25600 2e65cbf 25598->25600 25599 2e65d9c 25599->25599 25600->25599 25601 2e6585c CreateActCtxA 25600->25601 25601->25599 25603 2e66d28 CreateActCtxA 25602->25603 25605 2e66deb 25603->25605 25607 2e6716b 25606->25607 25610 2e67170 25607->25610 25609 2e6ee45 25609->25588 25611 2e6717b 25610->25611 25614 2e671a0 25611->25614 25613 2e6ef22 25613->25609 25615 2e671ab 25614->25615 25618 2e671d0 25615->25618 25617 2e6f022 25617->25613 25619 2e671db 25618->25619 25620 2e6f73e 25619->25620 25622 5521558 25619->25622 25620->25617 25626 5521998 25622->25626 25630 5521988 25622->25630 25623 552156e 25623->25620 25635 5521a90 25626->25635 25643 5521a7f 25626->25643 25627 55219a7 25627->25623 25631 5521998 25630->25631 25633 5521a90 2 API calls 25631->25633 25634 5521a7f 2 API calls 25631->25634 25632 55219a7 25632->25623 25633->25632 25634->25632 25636 5521aa3 25635->25636 25637 5521abb 25636->25637 25651 5521d18 25636->25651 25655 5521d09 25636->25655 25637->25627 25638 5521ab3 25638->25637 25639 5521cb8 GetModuleHandleW 25638->25639 25640 5521ce5 25639->25640 25640->25627 25644 5521aa3 25643->25644 25645 5521abb 25644->25645 25649 5521d18 LoadLibraryExW 25644->25649 25650 5521d09 LoadLibraryExW 25644->25650 25645->25627 25646 5521ab3 25646->25645 25647 5521cb8 GetModuleHandleW 25646->25647 25648 5521ce5 25647->25648 25648->25627 25649->25646 25650->25646 25652 5521d2c 25651->25652 25654 5521d51 25652->25654 25659 5521750 25652->25659 25654->25638 25657 5521d2c 25655->25657 25656 5521d51 25656->25638 25657->25656 25658 5521750 LoadLibraryExW 25657->25658 25658->25656 25661 5521ef8 LoadLibraryExW 25659->25661 25662 5521f71 25661->25662 25662->25654 25811 7990476 25812 799047c 25811->25812 25815 79e8508 25812->25815 25816 79e8553 ReadProcessMemory 25815->25816 25818 79901fd 25816->25818 25819 79902e8 25821 79e83e8 WriteProcessMemory 25819->25821 25820 7990316 25821->25820 25670 5524560 25671 5524588 25670->25671 25673 55245b0 25671->25673 25674 5523b24 25671->25674 25675 5523b2f 25674->25675 25679 5526390 25675->25679 25684 55263a8 25675->25684 25676 5524658 25676->25673 25680 55263a8 25679->25680 25681 55263e5 25680->25681 25690 5526817 25680->25690 25694 5526828 25680->25694 25681->25676 25686 55263d9 25684->25686 25687 5526425 25684->25687 25685 55263e5 25685->25676 25686->25685 25688 5526817 2 API calls 25686->25688 25689 5526828 2 API calls 25686->25689 25687->25676 25688->25687 25689->25687 25691 5526825 25690->25691 25692 5521a90 2 API calls 25691->25692 25693 5526831 25692->25693 25693->25681 25695 5521a90 2 API calls 25694->25695 25696 5526831 25694->25696 25695->25696 25696->25681 25781 7990b44 25782 7990b4e 25781->25782 25786 7991210 25782->25786 25790 7991203 25782->25790 25783 7990b7d 25787 7991225 25786->25787 25794 79e8080 25787->25794 25791 7991225 25790->25791 25793 79e8080 ResumeThread 25791->25793 25792 7991238 25792->25783 25793->25792 25795 79e80c0 ResumeThread 25794->25795 25797 7991238 25795->25797 25797->25783 25697 2e68458 25698 2e6846f 25697->25698 25699 2e619a8 CreateActCtxA 25698->25699 25700 2e684bb 25699->25700 25701 2e619a8 CreateActCtxA 25700->25701 25702 2e68477 25701->25702

                                                        Executed Functions

                                                        Function 02E60798 Relevance: 2.2, Strings: 1, Instructions: 989COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: UUUU
                                                        • API String ID: 0-1798160573
                                                        • Opcode ID: 8fe00b218a2e64e1a9b0a662d84e152a7bb9b247fca1e59748139aca9789166b
                                                        • Instruction ID: 9f834772dddcc52cc7257610fd2e2930874f85239387886ab9de4e6e1f8bf29c
                                                        • Opcode Fuzzy Hash: 8fe00b218a2e64e1a9b0a662d84e152a7bb9b247fca1e59748139aca9789166b
                                                        • Instruction Fuzzy Hash: C8A2B275A40228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB321DB319E81CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E651B8 Relevance: .2, Instructions: 208COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81ee6efc7f89b58a0eb30240f15de7189097a06aa20f2c3a9194d73fc0955595
                                                        • Instruction ID: 68a387cb27dca26c14ed56d7b3b271ffa55146dca5373ae86be0ad4e4ffa9b03
                                                        • Opcode Fuzzy Hash: 81ee6efc7f89b58a0eb30240f15de7189097a06aa20f2c3a9194d73fc0955595
                                                        • Instruction Fuzzy Hash: F081C578E89149CFD705CB59C448FFEB7FAAB4A344F09E0A5D81AAB392C7785805CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05523D82 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 05523DF0
                                                        • GetCurrentThread.KERNEL32 ref: 05523E2D
                                                        • GetCurrentProcess.KERNEL32 ref: 05523E6A
                                                        • GetCurrentThreadId.KERNEL32 ref: 05523EC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID: +_&9
                                                        • API String ID: 2063062207-2907477378
                                                        • Opcode ID: 9ea9c638d9c400e0f4da63d7e14264bd5a3f13c6afc71ff4b454de075632c423
                                                        • Instruction ID: bf6b7ee322e971ab2c97922a4a7f6862281b838729bdc478c529997c2155208b
                                                        • Opcode Fuzzy Hash: 9ea9c638d9c400e0f4da63d7e14264bd5a3f13c6afc71ff4b454de075632c423
                                                        • Instruction Fuzzy Hash: A35144B09042599FDB14CFAAD988BDEBBF0FF49318F248459E119A7390CB789844CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05523D90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 05523DF0
                                                        • GetCurrentThread.KERNEL32 ref: 05523E2D
                                                        • GetCurrentProcess.KERNEL32 ref: 05523E6A
                                                        • GetCurrentThreadId.KERNEL32 ref: 05523EC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID: +_&9
                                                        • API String ID: 2063062207-2907477378
                                                        • Opcode ID: b213db34159305a5692ec4c017e173b91407fdb579bbdbcf208a9165cb842108
                                                        • Instruction ID: 6e3532871408d803d3234b1c873bf868caac1fab8e51a0a47ca198b54f25acd0
                                                        • Opcode Fuzzy Hash: b213db34159305a5692ec4c017e173b91407fdb579bbdbcf208a9165cb842108
                                                        • Instruction Fuzzy Hash: F05144B09042499FDB14CFAAD988BDEBBF0FF49318F208459E519A7390CB785944CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E8700 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 39 79e8700-79e8795 41 79e87ce-79e87ee 39->41 42 79e8797-79e87a1 39->42 49 79e8827-79e8856 41->49 50 79e87f0-79e87fa 41->50 42->41 43 79e87a3-79e87a5 42->43 44 79e87c8-79e87cb 43->44 45 79e87a7-79e87b1 43->45 44->41 47 79e87b5-79e87c4 45->47 48 79e87b3 45->48 47->47 51 79e87c6 47->51 48->47 56 79e888f-79e8949 CreateProcessA 49->56 57 79e8858-79e8862 49->57 50->49 52 79e87fc-79e87fe 50->52 51->44 54 79e8800-79e880a 52->54 55 79e8821-79e8824 52->55 58 79e880e-79e881d 54->58 59 79e880c 54->59 55->49 70 79e894b-79e8951 56->70 71 79e8952-79e89d8 56->71 57->56 61 79e8864-79e8866 57->61 58->58 60 79e881f 58->60 59->58 60->55 62 79e8868-79e8872 61->62 63 79e8889-79e888c 61->63 65 79e8876-79e8885 62->65 66 79e8874 62->66 63->56 65->65 68 79e8887 65->68 66->65 68->63 70->71 81 79e89da-79e89de 71->81 82 79e89e8-79e89ec 71->82 81->82 83 79e89e0 81->83 84 79e89ee-79e89f2 82->84 85 79e89fc-79e8a00 82->85 83->82 84->85 86 79e89f4 84->86 87 79e8a02-79e8a06 85->87 88 79e8a10-79e8a14 85->88 86->85 87->88 91 79e8a08 87->91 89 79e8a26-79e8a2d 88->89 90 79e8a16-79e8a1c 88->90 92 79e8a2f-79e8a3e 89->92 93 79e8a44 89->93 90->89 91->88 92->93
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079E8936
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID: +_&9$+_&9
                                                        • API String ID: 963392458-1576693795
                                                        • Opcode ID: 63978605d52f9eaed5c8b86130c47b4facd80a3ec4b197abf14361c8438e1a17
                                                        • Instruction ID: 7aa4cdd49ca353215c02bfbe5ee568a8953e976d35c74d012edad1dcfd69a424
                                                        • Opcode Fuzzy Hash: 63978605d52f9eaed5c8b86130c47b4facd80a3ec4b197abf14361c8438e1a17
                                                        • Instruction Fuzzy Hash: B2919FB1D0061ADFEB11CFA8C881BEDBBB6BF48308F148569D819B7250DB759981CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055283EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 95 55283ec-552845e 96 5528460-5528466 95->96 97 5528469-5528470 95->97 96->97 98 5528472-5528478 97->98 99 552847b-55284b3 97->99 98->99 100 55284bb-552851a CreateWindowExW 99->100 101 5528523-552855b 100->101 102 552851c-5528522 100->102 106 5528568 101->106 107 552855d-5528560 101->107 102->101 108 5528569 106->108 107->106 108->108
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0552850A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID: +_&9$+_&9
                                                        • API String ID: 716092398-1576693795
                                                        • Opcode ID: 4786ff72b19c5ca922e1dd38f53c55239e37f1dab7bcf0f2ef605bd65107edfd
                                                        • Instruction ID: ead175f22a7c100009a6df1f3a105ea8e02851fc34647b954b536e957a806663
                                                        • Opcode Fuzzy Hash: 4786ff72b19c5ca922e1dd38f53c55239e37f1dab7bcf0f2ef605bd65107edfd
                                                        • Instruction Fuzzy Hash: 6E51CEB1D00319AFDB14CFE9C884ADEBBB5BF49314F24852AE819AB250D7749985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055283F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 109 55283f8-552845e 110 5528460-5528466 109->110 111 5528469-5528470 109->111 110->111 112 5528472-5528478 111->112 113 552847b-552851a CreateWindowExW 111->113 112->113 115 5528523-552855b 113->115 116 552851c-5528522 113->116 120 5528568 115->120 121 552855d-5528560 115->121 116->115 122 5528569 120->122 121->120 122->122
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0552850A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID: +_&9$+_&9
                                                        • API String ID: 716092398-1576693795
                                                        • Opcode ID: 1f05b432eef469ca5a28a2611e93a41f705bca0f6db6e935d82d0640e2d49bba
                                                        • Instruction ID: f681740caf09f821921ba48fef5ac18c38090b6c801f15292f38007383fc51e8
                                                        • Opcode Fuzzy Hash: 1f05b432eef469ca5a28a2611e93a41f705bca0f6db6e935d82d0640e2d49bba
                                                        • Instruction Fuzzy Hash: 3841C0B1D00319AFDF14CFD9C884ADEBBB5BF49314F24852AE819AB250D7749985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05521A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 159 5521a90-5521a98 160 5521aa3-5521aa5 159->160 161 5521a9e call 5520510 159->161 162 5521aa7 160->162 163 5521abb-5521abf 160->163 161->160 214 5521aad call 5521d18 162->214 215 5521aad call 5521d09 162->215 164 5521ad3-5521b14 163->164 165 5521ac1-5521acb 163->165 170 5521b21-5521b2f 164->170 171 5521b16-5521b1e 164->171 165->164 166 5521ab3-5521ab5 166->163 167 5521bf0-5521cb0 166->167 207 5521cb2-5521cb5 167->207 208 5521cb8-5521ce3 GetModuleHandleW 167->208 172 5521b53-5521b55 170->172 173 5521b31-5521b36 170->173 171->170 175 5521b58-5521b5f 172->175 176 5521b41 173->176 177 5521b38-5521b3f call 55216f4 173->177 180 5521b61-5521b69 175->180 181 5521b6c-5521b73 175->181 178 5521b43-5521b51 176->178 177->178 178->175 180->181 184 5521b80-5521b89 call 5521704 181->184 185 5521b75-5521b7d 181->185 190 5521b96-5521b9b 184->190 191 5521b8b-5521b93 184->191 185->184 192 5521bb9-5521bbd 190->192 193 5521b9d-5521ba4 190->193 191->190 212 5521bc0 call 5522010 192->212 213 5521bc0 call 5522020 192->213 193->192 194 5521ba6-5521bb6 call 5521714 call 5521724 193->194 194->192 197 5521bc3-5521bc6 200 5521bc8-5521be6 197->200 201 5521be9-5521bef 197->201 200->201 207->208 209 5521ce5-5521ceb 208->209 210 5521cec-5521d00 208->210 209->210 212->197 213->197 214->166 215->166
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05521CD6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID: +_&9
                                                        • API String ID: 4139908857-2907477378
                                                        • Opcode ID: 51681ad9e4199d689f901aec3100e1f4b569973566ed63bccf9c716cd44aed0a
                                                        • Instruction ID: bd48ceee99bb6d1132e0e95a95de57aa2f0a8a3c953318222d1ce439c6da079f
                                                        • Opcode Fuzzy Hash: 51681ad9e4199d689f901aec3100e1f4b569973566ed63bccf9c716cd44aed0a
                                                        • Instruction Fuzzy Hash: B77136B0A00B158FD724DF6AD4447ABB7F2BF89204F00892DD44ADBA90EB34E845CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0552812C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 216 552812c-552a9ec 219 552a9f2-552a9f7 216->219 220 552aa9c-552aabc call 5528004 216->220 221 552aa4a-552aa82 CallWindowProcW 219->221 222 552a9f9-552aa30 219->222 227 552aabf-552aacc 220->227 225 552aa84-552aa8a 221->225 226 552aa8b-552aa9a 221->226 229 552aa32-552aa38 222->229 230 552aa39-552aa48 222->230 225->226 226->227 229->230 230->227
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0552AA71
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID: +_&9
                                                        • API String ID: 2714655100-2907477378
                                                        • Opcode ID: 9a800f8644d62f15cc1c591d75be738fec150fb4dbb5aa1aa8336f844f60a163
                                                        • Instruction ID: ef3f9ced5bad323be1e7fec36f84882a71b39a1e9a31dd55a20cbd92ee09abf2
                                                        • Opcode Fuzzy Hash: 9a800f8644d62f15cc1c591d75be738fec150fb4dbb5aa1aa8336f844f60a163
                                                        • Instruction Fuzzy Hash: C94165B4A00315DFDB14CF89C488BAABBF5FF89314F25C859E519AB361D774A841CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E66D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 250 2e66d1d-2e66de9 CreateActCtxA 252 2e66df2-2e66e4c 250->252 253 2e66deb-2e66df1 250->253 260 2e66e4e-2e66e51 252->260 261 2e66e5b-2e66e5f 252->261 253->252 260->261 262 2e66e70 261->262 263 2e66e61-2e66e6d 261->263 265 2e66e71 262->265 263->262 265->265
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 02E66DD9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID: +_&9
                                                        • API String ID: 2289755597-2907477378
                                                        • Opcode ID: 600ff868f3245b23b37e2b6d1a1021259d9fd003fb555a4e99502586b77bb764
                                                        • Instruction ID: 1c8f4cf9c9bd0d51a5b8918ff8df4174f62d5c2eb23f74dac3e1b78dcf45b0d1
                                                        • Opcode Fuzzy Hash: 600ff868f3245b23b37e2b6d1a1021259d9fd003fb555a4e99502586b77bb764
                                                        • Instruction Fuzzy Hash: 164115B1C00619CFEB24DFA9C8887DEBBB5BF48308F20805AD509AB251DB755985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E6585C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 233 2e6585c-2e66de9 CreateActCtxA 236 2e66df2-2e66e4c 233->236 237 2e66deb-2e66df1 233->237 244 2e66e4e-2e66e51 236->244 245 2e66e5b-2e66e5f 236->245 237->236 244->245 246 2e66e70 245->246 247 2e66e61-2e66e6d 245->247 249 2e66e71 246->249 247->246 249->249
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 02E66DD9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID: +_&9
                                                        • API String ID: 2289755597-2907477378
                                                        • Opcode ID: 2632ece0dee588884f1533ef28e112ca41f1b6fcf3dca4fafe5f34844bd8d882
                                                        • Instruction ID: 5f5b663ae23a228b4e6d574ecd80ce9da1295b06eb56e986e6781838b5ed08d8
                                                        • Opcode Fuzzy Hash: 2632ece0dee588884f1533ef28e112ca41f1b6fcf3dca4fafe5f34844bd8d882
                                                        • Instruction Fuzzy Hash: 70411570C0061CCFEB20DFA9C8887DEBBB5BF49308F10805AD509AB250DB756945CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E83E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 266 79e83e8-79e8436 268 79e8438-79e8444 266->268 269 79e8446-79e8485 WriteProcessMemory 266->269 268->269 271 79e848e-79e84be 269->271 272 79e8487-79e848d 269->272 272->271
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079E8478
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID: +_&9
                                                        • API String ID: 3559483778-2907477378
                                                        • Opcode ID: 505668aeb535bd47bb88ab572ef1beb4abbcc514f4362e9960f4c8568a51cb38
                                                        • Instruction ID: 3aa5baadfeac2e7647b9f3b0865a02fd6292dfee761f91905ca15a39ce15f1e5
                                                        • Opcode Fuzzy Hash: 505668aeb535bd47bb88ab572ef1beb4abbcc514f4362e9960f4c8568a51cb38
                                                        • Instruction Fuzzy Hash: 8A2136B19003599FDF10CFA9C884BDEBBF5FF48318F10842AE919A7250D7789945CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05523FB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 276 5523fb0-5523fb3 277 5523fb8-552404c DuplicateHandle 276->277 278 5524055-5524072 277->278 279 552404e-5524054 277->279 279->278
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0552403F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID: +_&9
                                                        • API String ID: 3793708945-2907477378
                                                        • Opcode ID: 640bc39dd1ad655c3359c5565ecd985535f8759484e4944451dd25674aff908b
                                                        • Instruction ID: ddff89d76624215437ee22e600251d4591518a674a4cf1edf44aa9bb639f048c
                                                        • Opcode Fuzzy Hash: 640bc39dd1ad655c3359c5565ecd985535f8759484e4944451dd25674aff908b
                                                        • Instruction Fuzzy Hash: 3E21E3B5900259AFDB10CF9AD884BDEBBF8FB49324F14841AE914A7350D378A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E8508 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 292 79e8508-79e8595 ReadProcessMemory 295 79e859e-79e85ce 292->295 296 79e8597-79e859d 292->296 296->295
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079E8588
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID: +_&9
                                                        • API String ID: 1726664587-2907477378
                                                        • Opcode ID: c4ef01ca0f535376eab75e43ac3f919ec607ff432da96eccbdf6934744f0aca0
                                                        • Instruction ID: 322ff8dbfff99e084fdbbadb8f7f2aaad42ad67988b3333e2dc4ec609e81a3e5
                                                        • Opcode Fuzzy Hash: c4ef01ca0f535376eab75e43ac3f919ec607ff432da96eccbdf6934744f0aca0
                                                        • Instruction Fuzzy Hash: 1A2139B18003599FDB10CFAAC884BDEBBF5FF48314F50842AE529A7250CB789941CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E8160 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 282 79e8160-79e81ab 284 79e81ad-79e81b9 282->284 285 79e81bb-79e81eb SetThreadContext 282->285 284->285 287 79e81ed-79e81f3 285->287 288 79e81f4-79e8224 285->288 287->288
                                                        APIs
                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 079E81DE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID: +_&9
                                                        • API String ID: 1591575202-2907477378
                                                        • Opcode ID: 56fc760daeca9b0b257f168b89ce983c30e996e518a408fddd6dac85e0cc1a91
                                                        • Instruction ID: 4c35f9138c35361e2641899411b4321eaa33b36b384e6f6750d01b8c02dfe1ae
                                                        • Opcode Fuzzy Hash: 56fc760daeca9b0b257f168b89ce983c30e996e518a408fddd6dac85e0cc1a91
                                                        • Instruction Fuzzy Hash: 84212CB19003099FDB10DFAAC4847EEBBF8EF48258F148429D559A7640CB789945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05523FB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0552403F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID: +_&9
                                                        • API String ID: 3793708945-2907477378
                                                        • Opcode ID: 5eb16ad12b2b463aba055226ad4e865a682b8ef1a091b5e69a10a83f365b198d
                                                        • Instruction ID: dd5b9cff83a5a1ca0e951b1e8423924d668ccf5e61be29753d1cbec7cfe320aa
                                                        • Opcode Fuzzy Hash: 5eb16ad12b2b463aba055226ad4e865a682b8ef1a091b5e69a10a83f365b198d
                                                        • Instruction Fuzzy Hash: D621D5B5900259EFDB10CF99D884BDEBBF8FB49324F14841AE915A7350D378A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05521750 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05521D51,00000800,00000000,00000000), ref: 05521F62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: +_&9
                                                        • API String ID: 1029625771-2907477378
                                                        • Opcode ID: 507d85783e28bca84e2b698afe1afbd17d811e611ed6213c72186a8b3f36c3c6
                                                        • Instruction ID: 88890b396f173bd77f84fd50fbfe2f15d12cf7adb1fb1824ca9d8ba63ad1244c
                                                        • Opcode Fuzzy Hash: 507d85783e28bca84e2b698afe1afbd17d811e611ed6213c72186a8b3f36c3c6
                                                        • Instruction Fuzzy Hash: A91133B68046099FDB10CF9AC884BDEBBF4BB89314F10842AE925A7640C378A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E82F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079E8366
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID: +_&9
                                                        • API String ID: 4275171209-2907477378
                                                        • Opcode ID: b13a1475b02bce5b6bfd8a4b7a96305f773a570776dfc6ed9903eea83ce95cad
                                                        • Instruction ID: 07fbabf114eaf641d8344617856beed8fbaca5eabd52293eb71bb950eacb6bdc
                                                        • Opcode Fuzzy Hash: b13a1475b02bce5b6bfd8a4b7a96305f773a570776dfc6ed9903eea83ce95cad
                                                        • Instruction Fuzzy Hash: BC1137B19003499FDB10DFAAC844BDFBBF9AF48328F148819E525A7250C7799940CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05521EF1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05521D51,00000800,00000000,00000000), ref: 05521F62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: +_&9
                                                        • API String ID: 1029625771-2907477378
                                                        • Opcode ID: 89ed315233cf5306f9474c2399ddf91dc9d42d7c9a974976ae3561ebff50b91f
                                                        • Instruction ID: 17b184a1f7e263ea68b8469119b73ba8f1b5b3160545a6ec5a83e0c7a6ef4c9d
                                                        • Opcode Fuzzy Hash: 89ed315233cf5306f9474c2399ddf91dc9d42d7c9a974976ae3561ebff50b91f
                                                        • Instruction Fuzzy Hash: 1D1126B6D047098FDB10CF9AD584BDEFBF4BB58314F15842AE529A7640C378A545CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E8080 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID: +_&9
                                                        • API String ID: 947044025-2907477378
                                                        • Opcode ID: d2b62594f977e228b970b510d0a7ec9eb37325ec7faa8e625bfde34de6659516
                                                        • Instruction ID: 5fbb2ccb25fd9f7fd0261c237b5429fbbd5fed13ff728ea4129fd9e3877c2b57
                                                        • Opcode Fuzzy Hash: d2b62594f977e228b970b510d0a7ec9eb37325ec7faa8e625bfde34de6659516
                                                        • Instruction Fuzzy Hash: B0114CB1D007498FDB10DFAAC4847DFFBF8AF88228F148419D525A7240CB79A944CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05521C70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05521CD6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID: +_&9
                                                        • API String ID: 4139908857-2907477378
                                                        • Opcode ID: b32b013343eb8e6cbae1b3572a7fce085419bd0b3de5bf82b70681f34c58cb40
                                                        • Instruction ID: 6823c6bd371421b6f1976830b92645e219d0b4602634b4c38782df1b2eedf747
                                                        • Opcode Fuzzy Hash: b32b013343eb8e6cbae1b3572a7fce085419bd0b3de5bf82b70681f34c58cb40
                                                        • Instruction Fuzzy Hash: AF1110B5C006598FDB10CF9AC484BDEFBF8BB89324F10842AD829B7600C378A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0552863A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 0552869D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID: +_&9
                                                        • API String ID: 1378638983-2907477378
                                                        • Opcode ID: 28db6a25978bf7768a8ed42cee94489cf177d7fc5c21d78769fcb39254dadc6b
                                                        • Instruction ID: d4021ae73ecf6b00578c2652e9ea27917e9e5e4b0e00c4c487db936cf099f4ec
                                                        • Opcode Fuzzy Hash: 28db6a25978bf7768a8ed42cee94489cf177d7fc5c21d78769fcb39254dadc6b
                                                        • Instruction Fuzzy Hash: 381100B58003199FDB10CF9AD984BDEBBF8FB49324F14841AE915A7740C378A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079914D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 07991535
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293180023.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7990000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID: +_&9
                                                        • API String ID: 410705778-2907477378
                                                        • Opcode ID: 5c57702fee8a947265f660cb0784c5981589fdb4229c7c0155f8560f72e2977c
                                                        • Instruction ID: 2a33041507368567e1fc97860d687cbcdc65e3611570fa996b278f291a5e1583
                                                        • Opcode Fuzzy Hash: 5c57702fee8a947265f660cb0784c5981589fdb4229c7c0155f8560f72e2977c
                                                        • Instruction Fuzzy Hash: A81125B180034A9FDB10CF99D884BDEFFF4EB49324F14845AE465A7640C374A644CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05528640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 0552869D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID: +_&9
                                                        • API String ID: 1378638983-2907477378
                                                        • Opcode ID: 2d37bfce650f2eedf95fb291349ed95300ff54b97e1aaa09ff2921f168b8e845
                                                        • Instruction ID: 0d71c0926547fc0e0bc070f407cc8e441310515fee63114f0bbd785a88b72b20
                                                        • Opcode Fuzzy Hash: 2d37bfce650f2eedf95fb291349ed95300ff54b97e1aaa09ff2921f168b8e845
                                                        • Instruction Fuzzy Hash: ED1112B58003099FDB10CF9AD584BDEBBF8FB49324F14841AE915A7740C378A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079914D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 07991535
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293180023.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7990000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID: +_&9
                                                        • API String ID: 410705778-2907477378
                                                        • Opcode ID: 566e88d59aaa1bbb21f93454c4f6c070a8be2e2f83dc432d0c61421cb2af1b3d
                                                        • Instruction ID: e02b29a6a1d1da9c29bcf31b11a44ede98d48850e4609bd5c6493a1bc1c612fe
                                                        • Opcode Fuzzy Hash: 566e88d59aaa1bbb21f93454c4f6c070a8be2e2f83dc432d0c61421cb2af1b3d
                                                        • Instruction Fuzzy Hash: D511E5B58003499FDB10CF99D884BDEBFF8FB49324F108419E515A7600C374A544CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD3EC Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ff889836e6a81cf60b7d3f0e6848c8ace6b5d1a1b8eaa38001d2615bc847a85
                                                        • Instruction ID: 73c74ca47e6a7e54e0cacfa13a10423584bbc80cd846f6ce78604d7a340c8eb6
                                                        • Opcode Fuzzy Hash: 4ff889836e6a81cf60b7d3f0e6848c8ace6b5d1a1b8eaa38001d2615bc847a85
                                                        • Instruction Fuzzy Hash: C321F4B1904240EFDB05DF54D9C0BA7BB65FB98328F24C5BAD9094B217C33AE456CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD4D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1cb635651d6a810d7987881f1a15b00a55e6bbfdafe2a607945455ad8911093f
                                                        • Instruction ID: a3c07f66826677319e82f99e3a765de8d7238329f15266525a34c28a0de56e99
                                                        • Opcode Fuzzy Hash: 1cb635651d6a810d7987881f1a15b00a55e6bbfdafe2a607945455ad8911093f
                                                        • Instruction Fuzzy Hash: 1921D671904244DFDB05CF54D9C0B57BB65FB8832CF2485AAD9054B226C33AD856CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 015DD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272318776.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15dd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a96d164a1239055da27ec89257a74d243e6406e8c62ae4c2b9e2b98d029ddba5
                                                        • Instruction ID: 92d7f348ded4560201a3aa4c0c9cfa579190015667dc6f5951b417c3326b8d04
                                                        • Opcode Fuzzy Hash: a96d164a1239055da27ec89257a74d243e6406e8c62ae4c2b9e2b98d029ddba5
                                                        • Instruction Fuzzy Hash: 75212571608240EFDB25CF58D8C0B26BBB5FB88354F24C969D9094F286D33AD807CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 015DD1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272318776.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15dd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed54ef0b0ad75cfc3cdb5dac9dc8419be82c9498cce2846edcf851ace78a0866
                                                        • Instruction ID: 506a2de25dda540a41642bab2d8a01a8d7568198f306ea566780ab26a01d9236
                                                        • Opcode Fuzzy Hash: ed54ef0b0ad75cfc3cdb5dac9dc8419be82c9498cce2846edcf851ace78a0866
                                                        • Instruction Fuzzy Hash: AC210A71504240EFDB15CF98D9C0B25BBB5FB84324F24C96DD9094F286C73AD846CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 015DD005 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272318776.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15dd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c091c776d72bb98c6d58199943e367aab314ebbccb160cc53fcd16accc4e9d7
                                                        • Instruction ID: d49660f617894a72aa49abbd126fbd71d6e607d882aecc15f26350677953d9c3
                                                        • Opcode Fuzzy Hash: 4c091c776d72bb98c6d58199943e367aab314ebbccb160cc53fcd16accc4e9d7
                                                        • Instruction Fuzzy Hash: 2C2180754083809FCB12CF28D994B15BF71FB86214F28C5EAD8498F297D33A9846CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD3E7 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                        • Instruction ID: b301ab822d37d2c5a4105c481f1d528ba23843da40f3a19e682315a53999dc19
                                                        • Opcode Fuzzy Hash: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                        • Instruction Fuzzy Hash: 2111B476804280DFCB16CF54D9C4B96BF71FB94324F24C6AAD8080B716C33AD456CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD4D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                        • Instruction ID: ad8d0a500ed46325d08bb47922dd0804f7feb2506de354e357cf8b6283655847
                                                        • Opcode Fuzzy Hash: 01dc1dd5c076053dd37dabc6258269e540eab889bad8b17572ae422b602e1322
                                                        • Instruction Fuzzy Hash: 5711B176804280DFCB12CF54D9C4B56BF71FB84328F2486AAD8050B72AC33AD456CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 015DD1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272318776.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15dd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e84a83932315483301ab47877d77adf2830503121ad5359d24d077b9f27d570
                                                        • Instruction ID: 32c8d8d358880d6f0d12e9edc5573ac609e406ff1b8b30f55c44359ccf76bba5
                                                        • Opcode Fuzzy Hash: 0e84a83932315483301ab47877d77adf2830503121ad5359d24d077b9f27d570
                                                        • Instruction Fuzzy Hash: 8E118E75504280DFDB12CF58D5C4B19BB71FB84224F24C6A9D8494B696C33AD44ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD731 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 51c1e5adfc0bdc73a75db60d74699631e69ac151aa4aa132865ba0fdfa22683c
                                                        • Instruction ID: 00e1d66a7dba2489377ceef74a626aae8264ab0d6ba7dc157d2293fcfe1dda88
                                                        • Opcode Fuzzy Hash: 51c1e5adfc0bdc73a75db60d74699631e69ac151aa4aa132865ba0fdfa22683c
                                                        • Instruction Fuzzy Hash: AC01AC71908384AAF7105A66CCC47E7FB98DF4522CF14849BEE045B256C7799444C6B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BD730 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272214759.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14bd000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f21c18ef4209f199c93237fdf721bbeb18a3fd096404a14d31cbdf17ce65c5da
                                                        • Instruction ID: 706cbeeae15d7779292c4b56d4dadaa74828d157732ee9cbdd45bb43a1f0b881
                                                        • Opcode Fuzzy Hash: f21c18ef4209f199c93237fdf721bbeb18a3fd096404a14d31cbdf17ce65c5da
                                                        • Instruction Fuzzy Hash: 7EF06871404384AEE7118A5ACCC4BA3FF98DB81638F18C55AED085B296C3799844CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 079E0006 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-3993045852
                                                        • Opcode ID: cca859e352fe1d4b42f9ebb04c850dc056a3a61596b4f6b4e49e6482081e3c06
                                                        • Instruction ID: d923522486e5fb10edc0c87704faa57a97e868f2de37ba16e1c31008652aee0f
                                                        • Opcode Fuzzy Hash: cca859e352fe1d4b42f9ebb04c850dc056a3a61596b4f6b4e49e6482081e3c06
                                                        • Instruction Fuzzy Hash: F0519071D057588BD719CF6B9C4028AFBF7AFC9210F18C1BA844CAB265EB350956CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E0040 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-3993045852
                                                        • Opcode ID: 67afa2b7ad764214c0c3dc60e0fd0a79e142c4f6c5a46555699e6ddc745bb078
                                                        • Instruction ID: f9d46a14eb808774ab5e626f5519a49ec61b838d4cf3e6b3e5746388a6d2a419
                                                        • Opcode Fuzzy Hash: 67afa2b7ad764214c0c3dc60e0fd0a79e142c4f6c5a46555699e6ddc745bb078
                                                        • Instruction Fuzzy Hash: 9E4144B1E056188BEB5CCF6BDD4069EFAF7AFC9200F14C5BA980CAB265EB7105558F40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07992BE0 Relevance: .4, Instructions: 355COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293180023.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7990000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5ad80fddce5f3b5d439d89c7545c363c42e498cecbd891172909352df4df100
                                                        • Instruction ID: 1ba7493dae468b92de5210e72f30d5cebc7848ddca462516670aa4fada86d9cc
                                                        • Opcode Fuzzy Hash: c5ad80fddce5f3b5d439d89c7545c363c42e498cecbd891172909352df4df100
                                                        • Instruction Fuzzy Hash: C2D1EDB1701606AFEB29EB79C450BAAB7EABFC9204F14447ED1458B290DF35E902CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05526870 Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8df542fab61c637fd163264733d9f90e67560936df7a926506aca6a8b702a910
                                                        • Instruction ID: 6bda8f92e9600ae0d3dba14045ad39a61b6e02802ebc714c878ea31bd3e41155
                                                        • Opcode Fuzzy Hash: 8df542fab61c637fd163264733d9f90e67560936df7a926506aca6a8b702a910
                                                        • Instruction Fuzzy Hash: 3212EBF1C9174E8BDB10CF65E498189BBA2F7C93A8BD04A08D2611F6D1D7B8116EEF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0552F0BF Relevance: .3, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9404cbe8f66e4d2c4a48cca47eab1900e2ca0bf9bafe25b5df3c453fe46c702c
                                                        • Instruction ID: 8045f947d82280fcd15295ebaa712acccc1948e584d653c5b7732513ac1bf9b9
                                                        • Opcode Fuzzy Hash: 9404cbe8f66e4d2c4a48cca47eab1900e2ca0bf9bafe25b5df3c453fe46c702c
                                                        • Instruction Fuzzy Hash: 92D10631D2075ADADB10EFB4D9906ADB371FFA5200F60CB9AD54977220EB706AC4CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05524E94 Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25001c8b62d210f87be832a9f14e03876543b11c336ba3032116295849342b98
                                                        • Instruction ID: b44d0cd02659a56c676dbaa3e2db0426a719fc1c551570ab665ef388acabf671
                                                        • Opcode Fuzzy Hash: 25001c8b62d210f87be832a9f14e03876543b11c336ba3032116295849342b98
                                                        • Instruction Fuzzy Hash: 0AA17E32E0422ACFCF05CFA5C8445DEBBB2FFC6304B15856AE905AB261EB31A955CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0552F0D0 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 33b85d55cc6e27918257385ab0094e25b05595995de766b508cf189e531068ef
                                                        • Instruction ID: 0c16cf555ff12bdf9dcf6ebded89eb185bbac75084d8b188e99b97f0e1b2b2c8
                                                        • Opcode Fuzzy Hash: 33b85d55cc6e27918257385ab0094e25b05595995de766b508cf189e531068ef
                                                        • Instruction Fuzzy Hash: 96D1F631D2075ADADB10EFB4D9906ADB371FFA5200F60CB9AD54977224EB706AC4CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E60789 Relevance: .3, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: daed79e31f5c07ae1f01f3c44efd2309c3c03d01010ef172d336144ff4864d10
                                                        • Instruction ID: 70270fbcc8f15ecb320f03569429731d76872ca56812f5c076d22e3814eed7a3
                                                        • Opcode Fuzzy Hash: daed79e31f5c07ae1f01f3c44efd2309c3c03d01010ef172d336144ff4864d10
                                                        • Instruction Fuzzy Hash: D9C18775E416288FDB58DF6AC9846DABBF2BF89304F14C0A9D409AB325DB315E81CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05526860 Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.288365444.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5520000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70307cef7dd71c9c28ce1d699bddc9220104c06b4bc42c0c77251ef4c893fdb2
                                                        • Instruction ID: ee9213687b567058a1231be02f4d72907e7e3622f855ca6c51fefd1222b9d631
                                                        • Opcode Fuzzy Hash: 70307cef7dd71c9c28ce1d699bddc9220104c06b4bc42c0c77251ef4c893fdb2
                                                        • Instruction Fuzzy Hash: 48C13EF1C5174E8ADB10CF64E898189BB72FBC93A8FD04B08D1616B6D0D7B8116ADF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E604E8 Relevance: .2, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4405f5d83a835d865bc7cf92e04469cf192f6c86c76d6770471ace1dde754343
                                                        • Instruction ID: 0246e4e0aa17b34d805fc7c2ccff7727c9a4f9fdc3c22204cd53fc0c3d2350ee
                                                        • Opcode Fuzzy Hash: 4405f5d83a835d865bc7cf92e04469cf192f6c86c76d6770471ace1dde754343
                                                        • Instruction Fuzzy Hash: B3611A70A06205DFE758EF6AE49069ABBF3EF84204F15C43AC415AB264EB7858099B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E604F8 Relevance: .2, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dc2f504c33647859abdfcab6a7b2e90e3fedd6dc63771cb84ab66b883a6fe80b
                                                        • Instruction ID: 34f5a2a700bf4f1af9d74b07659c443af907a0abf9309f95c04b51b2b00a3aed
                                                        • Opcode Fuzzy Hash: dc2f504c33647859abdfcab6a7b2e90e3fedd6dc63771cb84ab66b883a6fe80b
                                                        • Instruction Fuzzy Hash: 7E612B70E06205DFE758EF6BE49069ABBF3FF84204F15C43AC415AB264EB7858099B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 079E9688 Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.293397823.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_79e0000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c125769bbc4538c94c1881728082c57f27cabe1dbf7b08e8223d75e570ad1e1b
                                                        • Instruction ID: ca675e77dc1934859849ff6ae00a8fa2ba64c8f47cf337c0b4df98902266e79f
                                                        • Opcode Fuzzy Hash: c125769bbc4538c94c1881728082c57f27cabe1dbf7b08e8223d75e570ad1e1b
                                                        • Instruction Fuzzy Hash: C24132B1E05A588BEB5CCF6B8C4469AFAF7BFC9301F14C1B9C40CAA255DB7055858F11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02E6856A Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.272592526.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2e60000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3161bdc26d05d1189fdb203c5fb6e266c4f13ba30e8460cc2887e3d9c45904c
                                                        • Instruction ID: 3cd39c7e547112739d387e2c4c7ffd2b5670b9a0a131640535ed985efcabead1
                                                        • Opcode Fuzzy Hash: c3161bdc26d05d1189fdb203c5fb6e266c4f13ba30e8460cc2887e3d9c45904c
                                                        • Instruction Fuzzy Hash: DC411271E416588BEB5CCF6B9D4469EFAF3BFC8300F14C5BAD80CAA264EB3105558E01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:18%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:132
                                                        Total number of Limit Nodes:11
                                                        execution_graph 32779 3016940 GetCurrentProcess 32780 30169b3 32779->32780 32781 30169ba GetCurrentThread 32779->32781 32780->32781 32782 30169f7 GetCurrentProcess 32781->32782 32783 30169f0 32781->32783 32785 3016a2d 32782->32785 32783->32782 32784 3016a55 GetCurrentThreadId 32786 3016a86 32784->32786 32785->32784 32885 301b990 32886 301b991 32885->32886 32889 301bbda 32886->32889 32895 301bcb0 32889->32895 32900 301bdbc 32889->32900 32905 301bdd6 32889->32905 32910 301bcc0 32889->32910 32896 301bcb4 32895->32896 32897 301bdfb 32896->32897 32915 301c109 32896->32915 32924 301c0b8 32896->32924 32901 301bd6f 32900->32901 32901->32900 32902 301bdfb 32901->32902 32903 301c109 2 API calls 32901->32903 32904 301c0b8 2 API calls 32901->32904 32903->32902 32904->32902 32906 301bde9 32905->32906 32907 301bdfb 32905->32907 32908 301c109 2 API calls 32906->32908 32909 301c0b8 2 API calls 32906->32909 32908->32907 32909->32907 32911 301bcc1 32910->32911 32912 301bdfb 32911->32912 32913 301c109 2 API calls 32911->32913 32914 301c0b8 2 API calls 32911->32914 32913->32912 32914->32912 32916 301c112 32915->32916 32917 301c0b2 32915->32917 32916->32917 32919 301c116 32916->32919 32922 301c109 RtlEncodePointer 32917->32922 32929 301c118 32917->32929 32918 301c0e6 32918->32897 32920 301c17c RtlEncodePointer 32919->32920 32921 301c1a5 32919->32921 32920->32921 32921->32897 32922->32918 32925 301c0d6 32924->32925 32927 301c109 2 API calls 32925->32927 32928 301c118 RtlEncodePointer 32925->32928 32926 301c0e6 32926->32897 32927->32926 32928->32926 32930 301c119 32929->32930 32931 301c17c RtlEncodePointer 32930->32931 32932 301c1a5 32930->32932 32931->32932 32932->32918 32933 3015090 32934 30150f8 CreateWindowExW 32933->32934 32936 30151b4 32934->32936 32787 3016b68 DuplicateHandle 32788 3016bfe 32787->32788 32789 30115a8 32790 30115da 32789->32790 32793 3011300 32790->32793 32792 30116ff 32794 301130b 32793->32794 32798 3013650 32794->32798 32804 3013660 32794->32804 32795 3011c42 32795->32792 32799 3013660 32798->32799 32810 3013b38 32799->32810 32802 3013731 32805 301368a 32804->32805 32809 3013b38 4 API calls 32805->32809 32806 3013708 32807 30132d8 GetModuleHandleW 32806->32807 32808 3013731 32806->32808 32807->32808 32809->32806 32811 3013ba8 32810->32811 32813 3013708 32810->32813 32812 3013c8e 32811->32812 32821 3013cf6 32811->32821 32835 3013d43 32811->32835 32848 3013d50 32811->32848 32813->32802 32817 30132d8 32813->32817 32818 30140b0 GetModuleHandleW 32817->32818 32820 3014125 32818->32820 32820->32802 32822 3013d68 32821->32822 32823 3013cfb 32821->32823 32824 30132d8 GetModuleHandleW 32822->32824 32825 3013daa 32822->32825 32823->32812 32824->32825 32826 30132d8 GetModuleHandleW 32825->32826 32834 3013f76 32825->32834 32827 3013efb 32826->32827 32829 3013fd1 32827->32829 32831 30132d8 GetModuleHandleW 32827->32831 32827->32834 32828 30140f8 GetModuleHandleW 32830 3014125 32828->32830 32829->32812 32830->32812 32832 3013f49 32831->32832 32833 30132d8 GetModuleHandleW 32832->32833 32832->32834 32833->32834 32834->32828 32834->32829 32837 3013d50 32835->32837 32836 3013daa 32839 30132d8 GetModuleHandleW 32836->32839 32847 3013f76 32836->32847 32837->32836 32838 30132d8 GetModuleHandleW 32837->32838 32838->32836 32840 3013efb 32839->32840 32842 3013fd1 32840->32842 32844 30132d8 GetModuleHandleW 32840->32844 32840->32847 32841 30140f8 GetModuleHandleW 32843 3014125 32841->32843 32842->32812 32843->32812 32845 3013f49 32844->32845 32846 30132d8 GetModuleHandleW 32845->32846 32845->32847 32846->32847 32847->32841 32847->32842 32849 3013d65 32848->32849 32850 30132d8 GetModuleHandleW 32849->32850 32851 3013daa 32849->32851 32850->32851 32852 30132d8 GetModuleHandleW 32851->32852 32860 3013f76 32851->32860 32853 3013efb 32852->32853 32855 3013fd1 32853->32855 32857 30132d8 GetModuleHandleW 32853->32857 32853->32860 32854 30140f8 GetModuleHandleW 32856 3014125 32854->32856 32855->32812 32856->32812 32858 3013f49 32857->32858 32859 30132d8 GetModuleHandleW 32858->32859 32858->32860 32859->32860 32860->32854 32860->32855 32861 3015248 32862 301526e 32861->32862 32865 3013574 32862->32865 32866 301357f 32865->32866 32867 3017bf1 32866->32867 32870 3017be1 32866->32870 32881 3017780 32867->32881 32869 3017bef 32873 3017d08 32870->32873 32877 3017d18 32870->32877 32876 3017d26 32873->32876 32874 3017780 CallWindowProcW 32874->32876 32875 3017e13 32875->32869 32876->32874 32876->32875 32880 3017d26 32877->32880 32878 3017780 CallWindowProcW 32878->32880 32879 3017e13 32879->32869 32880->32878 32880->32879 32882 301778b 32881->32882 32883 3017ee2 CallWindowProcW 32882->32883 32884 3017e91 32882->32884 32883->32884 32884->32869

                                                        Executed Functions

                                                        Function 06425D44 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0642B633
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: f1e9d52fbad3d5659c60a145d5d45e1e9d929225ae70f5a1069df406aad28288
                                                        • Instruction ID: 40564546652ed1543a6c70994ef5b0a9a377a7bbb9921536e2d0938ec4bb88c5
                                                        • Opcode Fuzzy Hash: f1e9d52fbad3d5659c60a145d5d45e1e9d929225ae70f5a1069df406aad28288
                                                        • Instruction Fuzzy Hash: F9512471D102298FDB14CFA9C88579EBBB1FF48318F65812AE815BB350D774A840CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03016902 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 030169A0
                                                        • GetCurrentThread.KERNEL32 ref: 030169DD
                                                        • GetCurrentProcess.KERNEL32 ref: 03016A1A
                                                        • GetCurrentThreadId.KERNEL32 ref: 03016A73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID: i
                                                        • API String ID: 2063062207-3865851505
                                                        • Opcode ID: a1de43eb0e64d3d04ed2f061efaf91505c6664cb3315b42b06f4278a1063b7c3
                                                        • Instruction ID: 6a2e6cfae5a68afbc63f158f98c28a5acfb2b99124e46b5ca803c79c6198a238
                                                        • Opcode Fuzzy Hash: a1de43eb0e64d3d04ed2f061efaf91505c6664cb3315b42b06f4278a1063b7c3
                                                        • Instruction Fuzzy Hash: D65178B0A062499FEB10CFA9D9497DEBFF0EF49314F24845AE409A7350DB356844CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03016940 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 030169A0
                                                        • GetCurrentThread.KERNEL32 ref: 030169DD
                                                        • GetCurrentProcess.KERNEL32 ref: 03016A1A
                                                        • GetCurrentThreadId.KERNEL32 ref: 03016A73
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 9de9b64867f653b194b406efe5b5a50da310d124b937ab039cbf4ab53637d814
                                                        • Instruction ID: e14be1e83149a96964d5b9fce34492b8a74cbc374e5828a21feb8a45527405a4
                                                        • Opcode Fuzzy Hash: 9de9b64867f653b194b406efe5b5a50da310d124b937ab039cbf4ab53637d814
                                                        • Instruction Fuzzy Hash: 745166B0A022499FDB10CFAAD948BEEFBF4EF88304F208459E419A7350CB356844CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C7AE Relevance: 2.1, APIs: 1, Instructions: 597COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 43 642c7ae-642c8fe 264 642c8fe call 642f907 43->264 265 642c8fe call 642f9c7 43->265 266 642c8fe call 642f918 43->266 59 642c904-642c988 267 642c988 call 642fca0 59->267 268 642c988 call 642fcb0 59->268 269 642c988 call 642fd5f 59->269 65 642c98e-642cfce KiUserExceptionDispatcher 134 642cfd4-642d020 65->134 137 642d026-642d049 134->137 138 642d319-642d32a 134->138 150 642d301-642d317 137->150 151 642d04f-642d0c1 137->151 141 642d330-642d339 138->141 142 642d689-642d691 138->142 143 642d3d0-642d3d3 141->143 144 642d33f-642d39f 141->144 146 642d713-642d72e 142->146 147 642d697-642d708 142->147 148 642d543-642d546 143->148 149 642d3d9-642d51e call 642b6f8 call 642b300 143->149 144->142 147->146 148->142 152 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 148->152 149->142 150->138 177 642d0c7-642d0cf 151->177 178 642d2e9-642d2fb 151->178 152->142 182 642d0d5-642d1f3 177->182 183 642d1f8-642d217 177->183 178->150 178->151 182->178 183->178 186 642d21d-642d2c0 183->186 186->178 264->59 265->59 266->59 267->65 268->65 269->65
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: c75fd734ee4f80f563a71502cd2b26a6e2bdf815cf3b17d29ac6d4df919f736c
                                                        • Instruction ID: 7c49c49133e6f5dca59e5289562e2b15c2fb50dfe11beffeb3047eb2754a4a93
                                                        • Opcode Fuzzy Hash: c75fd734ee4f80f563a71502cd2b26a6e2bdf815cf3b17d29ac6d4df919f736c
                                                        • Instruction Fuzzy Hash: 0C521B75A01229CFCBA5EF70D85869DB7BABF48305F6045EAD50AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C7CF Relevance: 1.8, APIs: 1, Instructions: 350COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 270 642c7cf-642c8fe 491 642c8fe call 642f907 270->491 492 642c8fe call 642f9c7 270->492 493 642c8fe call 642f918 270->493 286 642c904-642c988 494 642c988 call 642fca0 286->494 495 642c988 call 642fcb0 286->495 496 642c988 call 642fd5f 286->496 292 642c98e-642cfce KiUserExceptionDispatcher 361 642cfd4-642d020 292->361 364 642d026-642d049 361->364 365 642d319-642d32a 361->365 377 642d301-642d317 364->377 378 642d04f-642d0c1 364->378 368 642d330-642d339 365->368 369 642d689-642d691 365->369 370 642d3d0-642d3d3 368->370 371 642d33f-642d39f 368->371 373 642d713-642d72e 369->373 374 642d697-642d708 369->374 375 642d543-642d546 370->375 376 642d3d9-642d51e call 642b6f8 call 642b300 370->376 371->369 374->373 375->369 379 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 375->379 376->369 377->365 404 642d0c7-642d0cf 378->404 405 642d2e9-642d2fb 378->405 379->369 409 642d0d5-642d1f3 404->409 410 642d1f8-642d217 404->410 405->377 405->378 409->405 410->405 413 642d21d-642d2c0 410->413 413->405 491->286 492->286 493->286 494->292 495->292 496->292
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: c1b54d02a13fd95b59ef231f458d9f73ad35fcf81dc74107894a106fc449a5a9
                                                        • Instruction ID: 69c9d0e5f08ba9d0e1d4f565d145c1404064518998439827f6ffa0731c64e889
                                                        • Opcode Fuzzy Hash: c1b54d02a13fd95b59ef231f458d9f73ad35fcf81dc74107894a106fc449a5a9
                                                        • Instruction Fuzzy Hash: 06F11975A05229CFCBA5DB30D88869DB7B6BF89309F6045DEC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C814 Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 497 642c814-642c8fe 715 642c8fe call 642f907 497->715 716 642c8fe call 642f9c7 497->716 717 642c8fe call 642f918 497->717 510 642c904-642c988 718 642c988 call 642fca0 510->718 719 642c988 call 642fcb0 510->719 720 642c988 call 642fd5f 510->720 516 642c98e-642cfce KiUserExceptionDispatcher 585 642cfd4-642d020 516->585 588 642d026-642d049 585->588 589 642d319-642d32a 585->589 601 642d301-642d317 588->601 602 642d04f-642d0c1 588->602 592 642d330-642d339 589->592 593 642d689-642d691 589->593 594 642d3d0-642d3d3 592->594 595 642d33f-642d39f 592->595 597 642d713-642d72e 593->597 598 642d697-642d708 593->598 599 642d543-642d546 594->599 600 642d3d9-642d51e call 642b6f8 call 642b300 594->600 595->593 598->597 599->593 603 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 599->603 600->593 601->589 628 642d0c7-642d0cf 602->628 629 642d2e9-642d2fb 602->629 603->593 633 642d0d5-642d1f3 628->633 634 642d1f8-642d217 628->634 629->601 629->602 633->629 634->629 637 642d21d-642d2c0 634->637 637->629 715->510 716->510 717->510 718->516 719->516 720->516
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 25f0efc5bdd6a6487c08a3a889b47d3130e2dca8b31310de660e9ed521d3342a
                                                        • Instruction ID: d358f8bf74b0ff087531b576cf7e5511b73548d7d03acc037ba1a7c01f54a868
                                                        • Opcode Fuzzy Hash: 25f0efc5bdd6a6487c08a3a889b47d3130e2dca8b31310de660e9ed521d3342a
                                                        • Instruction Fuzzy Hash: 83F11975A05229CFCBA5DB30D89869DB7B6BF89309F6044DEC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C859 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 721 642c859-642c8fe 936 642c8fe call 642f907 721->936 937 642c8fe call 642f9c7 721->937 938 642c8fe call 642f918 721->938 731 642c904-642c988 939 642c988 call 642fca0 731->939 940 642c988 call 642fcb0 731->940 941 642c988 call 642fd5f 731->941 737 642c98e-642cfce KiUserExceptionDispatcher 806 642cfd4-642d020 737->806 809 642d026-642d049 806->809 810 642d319-642d32a 806->810 822 642d301-642d317 809->822 823 642d04f-642d0c1 809->823 813 642d330-642d339 810->813 814 642d689-642d691 810->814 815 642d3d0-642d3d3 813->815 816 642d33f-642d39f 813->816 818 642d713-642d72e 814->818 819 642d697-642d708 814->819 820 642d543-642d546 815->820 821 642d3d9-642d51e call 642b6f8 call 642b300 815->821 816->814 819->818 820->814 824 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 820->824 821->814 822->810 849 642d0c7-642d0cf 823->849 850 642d2e9-642d2fb 823->850 824->814 854 642d0d5-642d1f3 849->854 855 642d1f8-642d217 849->855 850->822 850->823 854->850 855->850 858 642d21d-642d2c0 855->858 858->850 936->731 937->731 938->731 939->737 940->737 941->737
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: d97109fd10e6a8fbba4d63ee3c410be86e877ca2983f675b42a54886e9e0159c
                                                        • Instruction ID: 0db4bec9bbfc28f7803f72e8872b859b1c8f1c390c173c5edb4b72acdc1a458a
                                                        • Opcode Fuzzy Hash: d97109fd10e6a8fbba4d63ee3c410be86e877ca2983f675b42a54886e9e0159c
                                                        • Instruction Fuzzy Hash: B7F10A75A05229CFCBA5DB30D89869DB7B6BF89309F6044DEC509A3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C89E Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 942 642c89e-642c8fe 1154 642c8fe call 642f907 942->1154 1155 642c8fe call 642f9c7 942->1155 1156 642c8fe call 642f918 942->1156 949 642c904-642c988 1157 642c988 call 642fca0 949->1157 1158 642c988 call 642fcb0 949->1158 1159 642c988 call 642fd5f 949->1159 955 642c98e-642cfce KiUserExceptionDispatcher 1024 642cfd4-642d020 955->1024 1027 642d026-642d049 1024->1027 1028 642d319-642d32a 1024->1028 1040 642d301-642d317 1027->1040 1041 642d04f-642d0c1 1027->1041 1031 642d330-642d339 1028->1031 1032 642d689-642d691 1028->1032 1033 642d3d0-642d3d3 1031->1033 1034 642d33f-642d39f 1031->1034 1036 642d713-642d72e 1032->1036 1037 642d697-642d708 1032->1037 1038 642d543-642d546 1033->1038 1039 642d3d9-642d51e call 642b6f8 call 642b300 1033->1039 1034->1032 1037->1036 1038->1032 1042 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 1038->1042 1039->1032 1040->1028 1067 642d0c7-642d0cf 1041->1067 1068 642d2e9-642d2fb 1041->1068 1042->1032 1072 642d0d5-642d1f3 1067->1072 1073 642d1f8-642d217 1067->1073 1068->1040 1068->1041 1072->1068 1073->1068 1076 642d21d-642d2c0 1073->1076 1076->1068 1154->949 1155->949 1156->949 1157->955 1158->955 1159->955
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 402bbe19c3449ab0d4a23e99120863b96eb2fe71ab44d3acd15c98c5a634dafe
                                                        • Instruction ID: 22f3b7bcc34ce92e6f5123865f9548630312c0e92e0ffadefeeaebe219f12f2b
                                                        • Opcode Fuzzy Hash: 402bbe19c3449ab0d4a23e99120863b96eb2fe71ab44d3acd15c98c5a634dafe
                                                        • Instruction Fuzzy Hash: 00F10975A05229CFCBA5DB30D89869DB7B6BF89309F6044DAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C8E3 Relevance: 1.8, APIs: 1, Instructions: 320COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1160 642c8e3-642c8fe 1369 642c8fe call 642f907 1160->1369 1370 642c8fe call 642f9c7 1160->1370 1371 642c8fe call 642f918 1160->1371 1164 642c904-642c988 1372 642c988 call 642fca0 1164->1372 1373 642c988 call 642fcb0 1164->1373 1374 642c988 call 642fd5f 1164->1374 1170 642c98e-642cfce KiUserExceptionDispatcher 1239 642cfd4-642d020 1170->1239 1242 642d026-642d049 1239->1242 1243 642d319-642d32a 1239->1243 1255 642d301-642d317 1242->1255 1256 642d04f-642d0c1 1242->1256 1246 642d330-642d339 1243->1246 1247 642d689-642d691 1243->1247 1248 642d3d0-642d3d3 1246->1248 1249 642d33f-642d39f 1246->1249 1251 642d713-642d72e 1247->1251 1252 642d697-642d708 1247->1252 1253 642d543-642d546 1248->1253 1254 642d3d9-642d51e call 642b6f8 call 642b300 1248->1254 1249->1247 1252->1251 1253->1247 1257 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 1253->1257 1254->1247 1255->1243 1282 642d0c7-642d0cf 1256->1282 1283 642d2e9-642d2fb 1256->1283 1257->1247 1287 642d0d5-642d1f3 1282->1287 1288 642d1f8-642d217 1282->1288 1283->1255 1283->1256 1287->1283 1288->1283 1291 642d21d-642d2c0 1288->1291 1291->1283 1369->1164 1370->1164 1371->1164 1372->1170 1373->1170 1374->1170
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: ee463b2c8fc5e1bc57f2a81c222a7fbfee237fa3c17e8bf7d8a8989055664fff
                                                        • Instruction ID: aae4d299e55572322cca3f7efd52b2d18ee5571108431a0d5ecf9bc38aa48688
                                                        • Opcode Fuzzy Hash: ee463b2c8fc5e1bc57f2a81c222a7fbfee237fa3c17e8bf7d8a8989055664fff
                                                        • Instruction Fuzzy Hash: BCE10A75A05229CFCBA5DB30D89869DB7B6BF89309F6044EEC50A93350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C91F Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1375 642c91f-642c988 1581 642c988 call 642fca0 1375->1581 1582 642c988 call 642fcb0 1375->1582 1583 642c988 call 642fd5f 1375->1583 1382 642c98e-642cfce KiUserExceptionDispatcher 1451 642cfd4-642d020 1382->1451 1454 642d026-642d049 1451->1454 1455 642d319-642d32a 1451->1455 1467 642d301-642d317 1454->1467 1468 642d04f-642d0c1 1454->1468 1458 642d330-642d339 1455->1458 1459 642d689-642d691 1455->1459 1460 642d3d0-642d3d3 1458->1460 1461 642d33f-642d39f 1458->1461 1463 642d713-642d72e 1459->1463 1464 642d697-642d708 1459->1464 1465 642d543-642d546 1460->1465 1466 642d3d9-642d51e call 642b6f8 call 642b300 1460->1466 1461->1459 1464->1463 1465->1459 1469 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 1465->1469 1466->1459 1467->1455 1494 642d0c7-642d0cf 1468->1494 1495 642d2e9-642d2fb 1468->1495 1469->1459 1499 642d0d5-642d1f3 1494->1499 1500 642d1f8-642d217 1494->1500 1495->1467 1495->1468 1499->1495 1500->1495 1503 642d21d-642d2c0 1500->1503 1503->1495 1581->1382 1582->1382 1583->1382
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 028c1e0f61eb17da59c87ed18ac411fcd61ff76098d544378455157649dfa446
                                                        • Instruction ID: 5181f8b624be320a7de6d5c6cc451ac1650f33080f51eeb7824786b2f26ffe20
                                                        • Opcode Fuzzy Hash: 028c1e0f61eb17da59c87ed18ac411fcd61ff76098d544378455157649dfa446
                                                        • Instruction Fuzzy Hash: 9FE10A75A05229CFCBA5DB30D85869DB7B6BF89309F6044EAC50993350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C964 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1584 642c964-642c988 1787 642c988 call 642fca0 1584->1787 1788 642c988 call 642fcb0 1584->1788 1789 642c988 call 642fd5f 1584->1789 1588 642c98e-642cfce KiUserExceptionDispatcher 1657 642cfd4-642d020 1588->1657 1660 642d026-642d049 1657->1660 1661 642d319-642d32a 1657->1661 1673 642d301-642d317 1660->1673 1674 642d04f-642d0c1 1660->1674 1664 642d330-642d339 1661->1664 1665 642d689-642d691 1661->1665 1666 642d3d0-642d3d3 1664->1666 1667 642d33f-642d39f 1664->1667 1669 642d713-642d72e 1665->1669 1670 642d697-642d708 1665->1670 1671 642d543-642d546 1666->1671 1672 642d3d9-642d51e call 642b6f8 call 642b300 1666->1672 1667->1665 1670->1669 1671->1665 1675 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 1671->1675 1672->1665 1673->1661 1700 642d0c7-642d0cf 1674->1700 1701 642d2e9-642d2fb 1674->1701 1675->1665 1705 642d0d5-642d1f3 1700->1705 1706 642d1f8-642d217 1700->1706 1701->1673 1701->1674 1705->1701 1706->1701 1709 642d21d-642d2c0 1706->1709 1709->1701 1787->1588 1788->1588 1789->1588
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: a9dc5b0eae1f111e3e029a961fe48bf328e93290f0436d8cf25be2d4467b6db5
                                                        • Instruction ID: 133b87476b0823e3a3ec0c0687cdcf454b371bfcd0ccaa1c3c23d788ed85afa3
                                                        • Opcode Fuzzy Hash: a9dc5b0eae1f111e3e029a961fe48bf328e93290f0436d8cf25be2d4467b6db5
                                                        • Instruction Fuzzy Hash: E7E10975A05229CFCB65DB30D89869DB7B6BF89309F6044EAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C9A9 Relevance: 1.8, APIs: 1, Instructions: 301COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1790 642c9a9-642cfce KiUserExceptionDispatcher 1860 642cfd4-642d020 1790->1860 1863 642d026-642d049 1860->1863 1864 642d319-642d32a 1860->1864 1876 642d301-642d317 1863->1876 1877 642d04f-642d0c1 1863->1877 1867 642d330-642d339 1864->1867 1868 642d689-642d691 1864->1868 1869 642d3d0-642d3d3 1867->1869 1870 642d33f-642d39f 1867->1870 1872 642d713-642d72e 1868->1872 1873 642d697-642d708 1868->1873 1874 642d543-642d546 1869->1874 1875 642d3d9-642d51e call 642b6f8 call 642b300 1869->1875 1870->1868 1873->1872 1874->1868 1878 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 1874->1878 1875->1868 1876->1864 1903 642d0c7-642d0cf 1877->1903 1904 642d2e9-642d2fb 1877->1904 1878->1868 1908 642d0d5-642d1f3 1903->1908 1909 642d1f8-642d217 1903->1909 1904->1876 1904->1877 1908->1904 1909->1904 1912 642d21d-642d2c0 1909->1912 1912->1904
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: c21cae2f3c4a48dbcca79bfc2132b69a1de36134c9ee26a2bc4ed42627180138
                                                        • Instruction ID: ab157a5b7c2ac0665dc28e52b6d392757455014954fc67af5910eda5962e25d5
                                                        • Opcode Fuzzy Hash: c21cae2f3c4a48dbcca79bfc2132b69a1de36134c9ee26a2bc4ed42627180138
                                                        • Instruction Fuzzy Hash: 16E11975A05229CFCB65DF30D85869DB7B6BF88309F6044EAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642C9EE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1990 642c9ee-642cfce KiUserExceptionDispatcher 2057 642cfd4-642d020 1990->2057 2060 642d026-642d049 2057->2060 2061 642d319-642d32a 2057->2061 2073 642d301-642d317 2060->2073 2074 642d04f-642d0c1 2060->2074 2064 642d330-642d339 2061->2064 2065 642d689-642d691 2061->2065 2066 642d3d0-642d3d3 2064->2066 2067 642d33f-642d39f 2064->2067 2069 642d713-642d72e 2065->2069 2070 642d697-642d708 2065->2070 2071 642d543-642d546 2066->2071 2072 642d3d9-642d51e call 642b6f8 call 642b300 2066->2072 2067->2065 2070->2069 2071->2065 2075 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 2071->2075 2072->2065 2073->2061 2100 642d0c7-642d0cf 2074->2100 2101 642d2e9-642d2fb 2074->2101 2075->2065 2105 642d0d5-642d1f3 2100->2105 2106 642d1f8-642d217 2100->2106 2101->2073 2101->2074 2105->2101 2106->2101 2109 642d21d-642d2c0 2106->2109 2109->2101
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: d95691c19f7268a5a8519128de05160650876dc7c69046f7426d1458a6df2893
                                                        • Instruction ID: 8bc4fc3ae2c3ff4d5fda0317c2e953003b841aff1602e9d2278803e23ade24eb
                                                        • Opcode Fuzzy Hash: d95691c19f7268a5a8519128de05160650876dc7c69046f7426d1458a6df2893
                                                        • Instruction Fuzzy Hash: 28D12A75A01229CFCB65DF30D89869DB7BABF89305F6044EAC50AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CA33 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2187 642ca33-642cfce KiUserExceptionDispatcher 2251 642cfd4-642d020 2187->2251 2254 642d026-642d049 2251->2254 2255 642d319-642d32a 2251->2255 2267 642d301-642d317 2254->2267 2268 642d04f-642d0c1 2254->2268 2258 642d330-642d339 2255->2258 2259 642d689-642d691 2255->2259 2260 642d3d0-642d3d3 2258->2260 2261 642d33f-642d39f 2258->2261 2263 642d713-642d72e 2259->2263 2264 642d697-642d708 2259->2264 2265 642d543-642d546 2260->2265 2266 642d3d9-642d51e call 642b6f8 call 642b300 2260->2266 2261->2259 2264->2263 2265->2259 2269 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 2265->2269 2266->2259 2267->2255 2294 642d0c7-642d0cf 2268->2294 2295 642d2e9-642d2fb 2268->2295 2269->2259 2299 642d0d5-642d1f3 2294->2299 2300 642d1f8-642d217 2294->2300 2295->2267 2295->2268 2299->2295 2300->2295 2303 642d21d-642d2c0 2300->2303 2303->2295
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 19cf342e77cc7beb18513530391dea5a685e80a1989abfb6ff0cfc44a865da4e
                                                        • Instruction ID: 11f78fd07fd5c495d25cda48557db46ed63cddc883ee087472e7dae10814c016
                                                        • Opcode Fuzzy Hash: 19cf342e77cc7beb18513530391dea5a685e80a1989abfb6ff0cfc44a865da4e
                                                        • Instruction Fuzzy Hash: F1D10A75A05229CFCB65DF70D89869DB7BABF88305F6044EAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CA78 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2470 642ca78-642cfce KiUserExceptionDispatcher 2531 642cfd4-642d020 2470->2531 2534 642d026-642d049 2531->2534 2535 642d319-642d32a 2531->2535 2547 642d301-642d317 2534->2547 2548 642d04f-642d0c1 2534->2548 2538 642d330-642d339 2535->2538 2539 642d689-642d691 2535->2539 2540 642d3d0-642d3d3 2538->2540 2541 642d33f-642d39f 2538->2541 2543 642d713-642d72e 2539->2543 2544 642d697-642d708 2539->2544 2545 642d543-642d546 2540->2545 2546 642d3d9-642d51e call 642b6f8 call 642b300 2540->2546 2541->2539 2544->2543 2545->2539 2549 642d54c-642d66c call 642b6f8 call 642b300 call 642b348 2545->2549 2546->2539 2547->2535 2574 642d0c7-642d0cf 2548->2574 2575 642d2e9-642d2fb 2548->2575 2549->2539 2579 642d0d5-642d1f3 2574->2579 2580 642d1f8-642d217 2574->2580 2575->2547 2575->2548 2579->2575 2580->2575 2583 642d21d-642d2c0 2580->2583 2583->2575
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: a3f1468c981dd64d9c0a0d9d5bd4b1c05396fabf708fde3a6f5cb4f3af6fca63
                                                        • Instruction ID: b0cbc79cf76d6564372f4d30cb51fb4b9ae4b8325873d56099673e2a6d8d7e2e
                                                        • Opcode Fuzzy Hash: a3f1468c981dd64d9c0a0d9d5bd4b1c05396fabf708fde3a6f5cb4f3af6fca63
                                                        • Instruction Fuzzy Hash: 40D10975A05229CFCB65DB70D89869DB7BABF88305F6044EAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03013D50 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2381 3013d50-3013d76 2384 3013dc7-3013dcf 2381->2384 2385 3013d78-3013d8f 2381->2385 2386 3013dd1-3013dd6 call 3013340 2384->2386 2387 3013e15-3013e5e call 301334c 2384->2387 2390 3013d91-3013d97 2385->2390 2391 3013d99 2385->2391 2392 3013ddb-3013e10 2386->2392 2411 3013e64-3013eaf 2387->2411 2412 301400a-301403c 2387->2412 2394 3013d9f-3013db0 call 30132d8 call 3013334 2390->2394 2391->2394 2402 3013eb2-3013f0b call 30132d8 call 3013358 2392->2402 2404 3013db5-3013dc1 2394->2404 2433 3013f10-3013f14 2402->2433 2404->2384 2406 3013fdd-3014003 2404->2406 2406->2412 2411->2402 2429 3014043-3014089 2412->2429 2442 30140f8-3014123 GetModuleHandleW 2429->2442 2443 301408b-301409e 2429->2443 2435 3013fd1-3013fdc 2433->2435 2436 3013f1a-3013f27 2433->2436 2439 3013fcd-3013fcf 2436->2439 2440 3013f2d-3013f5a call 30132d8 call 301334c 2436->2440 2439->2429 2439->2435 2440->2439 2453 3013f5c-3013f6a 2440->2453 2445 3014125-301412b 2442->2445 2446 301412c-3014140 2442->2446 2445->2446 2453->2439 2454 3013f6c-3013f83 call 30132d8 call 3013364 2453->2454 2459 3013f90-3013fbf call 3013358 2454->2459 2460 3013f85-3013f8e call 3013358 2454->2460 2459->2439 2468 3013fc1-3013fcb 2459->2468 2460->2439 2468->2439 2468->2459
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 03014116
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 104ad2047a5ad78eabcdd2f509602734216dee1a601ea3d71accb1769c936d0c
                                                        • Instruction ID: 0d16eacdb9bc4f0d858d58a09162600e9ae6498cb92f03383ffc60df79d00d1b
                                                        • Opcode Fuzzy Hash: 104ad2047a5ad78eabcdd2f509602734216dee1a601ea3d71accb1769c936d0c
                                                        • Instruction Fuzzy Hash: 7CA19878B017059FDB54EF69D484A6EBBF2FF88208B148A6DD40ADB750DF74E8118B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CAB4 Relevance: 1.8, APIs: 1, Instructions: 271COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 378f9d9e68e1ce27481be3dea7f3b14aa184093f494d7ae64bc2b06b37097b47
                                                        • Instruction ID: 3c7630d3221370f2e000c53ea79a51e3be0568908f853b59f1e13248414b0e4d
                                                        • Opcode Fuzzy Hash: 378f9d9e68e1ce27481be3dea7f3b14aa184093f494d7ae64bc2b06b37097b47
                                                        • Instruction Fuzzy Hash: C8C10975A05229CFCB65DB70D85869DB7BABF88309F6044EAC50AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CAF0 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 01f4e64f0197aa6cf7cabdb8cdb152aef78fb13171161438b2ba9fd8d4472847
                                                        • Instruction ID: 12dbb4b540c8c4949d8bf6f1485a4e0f68b343149279e1844acd91e1bbc1822c
                                                        • Opcode Fuzzy Hash: 01f4e64f0197aa6cf7cabdb8cdb152aef78fb13171161438b2ba9fd8d4472847
                                                        • Instruction Fuzzy Hash: 3DC11975A05229CFCB65DF70D85869DB7BABF88305F6044EAC50AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CB35 Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: a3d854e06bd805f8ce46467d42089b44c5dae594ba91c74f83684044d0f6f2cd
                                                        • Instruction ID: 544d6f8d34efcd569e6cba3e205ea4783a70b9b47f35897c005285858f95929f
                                                        • Opcode Fuzzy Hash: a3d854e06bd805f8ce46467d42089b44c5dae594ba91c74f83684044d0f6f2cd
                                                        • Instruction Fuzzy Hash: 5EC11975A05229CFCB65DF70D89869DB7BABF88305F6044EAD50AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CB7A Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 1cf0c69129b794ba222a8273d4222282f768c3e9400ff0b7fcc2b7f0ce053a1a
                                                        • Instruction ID: d3bb4807127843d0f53b30ae960de85d2d0d87e64c7f1e4dd93ee5c1e968748b
                                                        • Opcode Fuzzy Hash: 1cf0c69129b794ba222a8273d4222282f768c3e9400ff0b7fcc2b7f0ce053a1a
                                                        • Instruction Fuzzy Hash: 10C11975A05229CFCB65DF70D89969DB7BABF88305F6044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CBBF Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 83ac8bfa76ef8b02c2b1b2abf703e0ee1094bf5d21b8f1adcf24f0528b43e1dd
                                                        • Instruction ID: 81b80e418518357d0add99421284c07fe59991444a0266a14fcc7039b4998cc0
                                                        • Opcode Fuzzy Hash: 83ac8bfa76ef8b02c2b1b2abf703e0ee1094bf5d21b8f1adcf24f0528b43e1dd
                                                        • Instruction Fuzzy Hash: 6EB11975A01229CFCB65DB70D85979DB7BABF88305F5044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CC04 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 6bc9573faecdac6c822cbef7af3d0a0a1e2062db687343b3330f953699f840fd
                                                        • Instruction ID: afe32748d94b8917349d6625e507b9472d8971fca2e70cbb29f92a9442d9244e
                                                        • Opcode Fuzzy Hash: 6bc9573faecdac6c822cbef7af3d0a0a1e2062db687343b3330f953699f840fd
                                                        • Instruction Fuzzy Hash: 55B11975A01229CFCB65DB70D85979DB7BABF88305F6044EAD40AA3350CB359E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CC49 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: a37df7362d775295b24cd50bc8466b3d136fe55ec51fa3144635a63cb6eab583
                                                        • Instruction ID: 88437dcf27b3f4bbf6ddac631fdc52174e73ddc52f52dfda0573d67cef2ccc66
                                                        • Opcode Fuzzy Hash: a37df7362d775295b24cd50bc8466b3d136fe55ec51fa3144635a63cb6eab583
                                                        • Instruction Fuzzy Hash: 21A12975A01229CFCB65EB70D85979DB7BABF88305F6044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CC8E Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: e567b6162a0215012b39ab02be5dd6b9fa54eb4355542bbb2cfc4d594d2f9590
                                                        • Instruction ID: 7e27ef1d6a311b80f8d634ecdd27f8091d9ece397b14f23f13deb58443996b26
                                                        • Opcode Fuzzy Hash: e567b6162a0215012b39ab02be5dd6b9fa54eb4355542bbb2cfc4d594d2f9590
                                                        • Instruction Fuzzy Hash: D5A12875A01229CFCB65EB74D85979DB7BABF88309F5044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CCD3 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: e516ab446434bb5b02fed27ae1be35f58890c9a0a6a872150ea5d15d2790ca38
                                                        • Instruction ID: af052c1f7d742a469bf49419667d151e5da00058f4e05f1c67349f6628aeb39c
                                                        • Opcode Fuzzy Hash: e516ab446434bb5b02fed27ae1be35f58890c9a0a6a872150ea5d15d2790ca38
                                                        • Instruction Fuzzy Hash: 7AA12775A01229CFCB65EB74D85979DB7BABF88309F5044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CD18 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: b6e5d23dcc2ce7ea7d9796a60ec58746e9d0442dd790c9b1d64fd58c3a81d6c7
                                                        • Instruction ID: a51f64fd45f9827b27162c2f96f7239b8c3b9221c65c77e969e1f92f3fc4cc65
                                                        • Opcode Fuzzy Hash: b6e5d23dcc2ce7ea7d9796a60ec58746e9d0442dd790c9b1d64fd58c3a81d6c7
                                                        • Instruction Fuzzy Hash: B9911875A01229CFCB65EB74D85979DB7BABF88305F5044EAD40AA3350CB349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CD5D Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 82004b16def13182cca0b48a03cec49b2013affee10e40680e28e1770db61e39
                                                        • Instruction ID: f519e4b60f64f87bae2e447d22cf08277a762e8aaf660a8ef87666c76d4ed93b
                                                        • Opcode Fuzzy Hash: 82004b16def13182cca0b48a03cec49b2013affee10e40680e28e1770db61e39
                                                        • Instruction Fuzzy Hash: E8911975A012298FCB65EB74D85979DB7BABF88305F5044EAD40AA3350CF349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642CDA2 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0642CDC6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 0a1b3f61f4f7da4ef81c19122053d848d772e7735757e227499533cc51219a90
                                                        • Instruction ID: 9a560ef28d9399961514d955d7161185ec62f3a8c468fb2286232eb72a01c716
                                                        • Opcode Fuzzy Hash: 0a1b3f61f4f7da4ef81c19122053d848d772e7735757e227499533cc51219a90
                                                        • Instruction Fuzzy Hash: 0B812975A012298FCB65EB74D85979DB7BABF88305F5044EAD40AA3350CF349E81CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0642B4ED Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0642B633
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: f07a534a02a72d16aa42b4a29a3108d4578097608ab230fcd33b57d24dac5efe
                                                        • Instruction ID: 85b06adcd6cd41fe6c12d8f9466ef60b1ed7d64e253f985e3f5db7d7985f7956
                                                        • Opcode Fuzzy Hash: f07a534a02a72d16aa42b4a29a3108d4578097608ab230fcd33b57d24dac5efe
                                                        • Instruction Fuzzy Hash: A4513270D002298FDB58CFA9C884BDEBBB1FF48318F65812AE815BB354D774A841CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 064291EC Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0642B633
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.523132671.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_6420000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 536cb6326e156e26729932ccc6f0aa555d1f034c54f478a01f6c2c8e61cccea5
                                                        • Instruction ID: 911c49c2818bb6cf75cc4902e27ff1861173cb52366f216ea992efb17c68f242
                                                        • Opcode Fuzzy Hash: 536cb6326e156e26729932ccc6f0aa555d1f034c54f478a01f6c2c8e61cccea5
                                                        • Instruction Fuzzy Hash: 16512270D002298FDB14CFA9C884B9EBBB1FF48318F65812AE815BB350D778A840CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03015084 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030151A2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 24be48a87262cb2f8938809926513de4ca5ce6aff6424f84667963176e0fb1c9
                                                        • Instruction ID: 7c62fb20b884d73be2816df7f6138877684c45328568661f5e81de8e79353dd5
                                                        • Opcode Fuzzy Hash: 24be48a87262cb2f8938809926513de4ca5ce6aff6424f84667963176e0fb1c9
                                                        • Instruction Fuzzy Hash: 1C51CFB1D012099FDB15CFA9C984ADDFBB5BF89314F24852AE818AB210D7749945CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03015090 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030151A2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 51e2b2dd03b105e31aa9df35591b32b462e4e28c25ea81217eeb5fd8f91e4eaa
                                                        • Instruction ID: 38a436a08bc78a5d0ebfc6aec7254f51dd2183855bc8c6e49a8d61483ef35d91
                                                        • Opcode Fuzzy Hash: 51e2b2dd03b105e31aa9df35591b32b462e4e28c25ea81217eeb5fd8f91e4eaa
                                                        • Instruction Fuzzy Hash: DF41DEB1D013099FDB15CFA9C884ADEFBF5BF89314F24812AE818AB210D7749985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03017780 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 03017F09
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: bed237500db0748f5a79e6e705f731759b227db3cbc53bac5ffc142667040cbb
                                                        • Instruction ID: a577efd07530fdaf908d7a11b787c39eea60ce27650a220819cf1154faecbc85
                                                        • Opcode Fuzzy Hash: bed237500db0748f5a79e6e705f731759b227db3cbc53bac5ffc142667040cbb
                                                        • Instruction Fuzzy Hash: F7413AB49002459FDB10CF99C488BAABBF5FF88714F258499E529A7321C735A841CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0301C109 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0301C192
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 394e83df5f9a170b4b92f4a976f9bce19643c87983feed5bf29eee9562c63c09
                                                        • Instruction ID: 5702cde1493bfc16e47d8f4e618a97540a104613bf9d1081848b08d6450e67ab
                                                        • Opcode Fuzzy Hash: 394e83df5f9a170b4b92f4a976f9bce19643c87983feed5bf29eee9562c63c09
                                                        • Instruction Fuzzy Hash: 723131B5846388CFEB10CFA8D90939EBFF0BB06304F18845AD449AB242C7799849CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03016B61 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03016BEF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: b95f1d1ca4929714a1dfe9af3aaf8dced856043be5644bdcc2438914606d871c
                                                        • Instruction ID: 57b13d097aaf1c002b4a6ea8cc0aff08ff4249ed5b4393c357b3a237f0386194
                                                        • Opcode Fuzzy Hash: b95f1d1ca4929714a1dfe9af3aaf8dced856043be5644bdcc2438914606d871c
                                                        • Instruction Fuzzy Hash: C921D2B5901208EFDB10CF99D984ADEBBF4EF48314F15841AE914A7310D378AA54CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03016B68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03016BEF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 7098d8d6801f3c2835ed4252479374f7f51f9d2f43f6f00ea64d42d3f21bf820
                                                        • Instruction ID: 256dfc7ff9a832098ecf7f5e7ec3903241ba8bd874a2c94f65188cead401d1c9
                                                        • Opcode Fuzzy Hash: 7098d8d6801f3c2835ed4252479374f7f51f9d2f43f6f00ea64d42d3f21bf820
                                                        • Instruction Fuzzy Hash: 3621C4B5901249AFDB10CF99D984ADEFBF8EB48324F15841AE914A3310D378A954CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0301C118 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0301C192
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 7c1f5fc9cef9c224e8f0d98565549279fc6673e181d32e0ca7cd51ef959d522b
                                                        • Instruction ID: 15f033714a896bfdb54bc1fc5263f49f3361f8e938da9d9029d4133b556a4c6c
                                                        • Opcode Fuzzy Hash: 7c1f5fc9cef9c224e8f0d98565549279fc6673e181d32e0ca7cd51ef959d522b
                                                        • Instruction Fuzzy Hash: 5011BEB1942309CFEB60DFA9C40979EBFF4FB05714F248829D809A7200C779A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 030132D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 03014116
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: b03f1633827f1c8c370e08808cdd8f34044a4a5db41df36180403cabe76a5b50
                                                        • Instruction ID: cd4aa871df8b284805210ea50b2c214969f6ca7ce09a11a963f1190801de0942
                                                        • Opcode Fuzzy Hash: b03f1633827f1c8c370e08808cdd8f34044a4a5db41df36180403cabe76a5b50
                                                        • Instruction Fuzzy Hash: 6A1113B5C012498FDB20CF9AC444BDEFBF4EB89324F15842AD829B7210D379A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 030140AB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 03014116
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: db453c56f19b320a0cef5938c231763fa6e85ba9506deb7491538603a1985ed7
                                                        • Instruction ID: e22e86922cbf0d173995e0f1aebdfd6879b95eea87e0176ef56c20f6e8ee14ea
                                                        • Opcode Fuzzy Hash: db453c56f19b320a0cef5938c231763fa6e85ba9506deb7491538603a1985ed7
                                                        • Instruction Fuzzy Hash: 4811D4B5C012499FDB10CF9AC444BDEFBF4EB49324F15841AD829B7610D379A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03014080 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 03014116
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.520325495.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_3010000_SWIFT copy.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 26a33f22c291dbb7dd787c69e3fb6673b91f2d70d20c8f9e4164e3812a9c8d61
                                                        • Instruction ID: a18937ccd8f1de87ecbb86cbd86cfc5f431cd187216d80498210c6c01bb7bc82
                                                        • Opcode Fuzzy Hash: 26a33f22c291dbb7dd787c69e3fb6673b91f2d70d20c8f9e4164e3812a9c8d61
                                                        • Instruction Fuzzy Hash: 33015AB28012448FDB60CF8BD44438DFBF0EF88319F28816AC018A7221C379915ACF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%