Edit tour

Windows Analysis Report
SWIFT Transfer (103) 037RTG2050822156Pdf.exe

Overview

General Information

Sample Name:	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Analysis ID:	680484
MD5:	47b96215204bad8db8ce43a4685ee74c
SHA1:	6b5af0c13af653e5347e1b5e6a7f3bbecee257d5
SHA256:	613edebe9f20eff6958bc447fa000388c1b986e1cdb76930ca061d2c92fe952c
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queues an APC in another process (thread injection)

Deletes itself after installation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe" MD5: 47B96215204BAD8DB8CE43A4685EE74C)

SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe (PID: 5032 cmdline: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe MD5: 47B96215204BAD8DB8CE43A4685EE74C)

explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

NETSTAT.EXE (PID: 5260 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.classicpretty.com/qkkr/"], "decoy": ["7gCdEvi4PU1csVn41UdG95Ufy7SR", "3/kS/9ZgObTlShULwBM8", "UmkOiGYioBlRs12D06oGbv8X", "JHVcqPzZQM4=", "597t26RTZoSV64ak89Q0kUqhiRWZ", "EGeQhlYOeLg5jSU=", "uPMS7r10aXmis6FQ", "bBxVPrS1SNM=", "TGkjh14+21mDz2aAy6gGbv8X", "Jm3QiEjsOJLnDPGK/GhezP9J+w==", "nqvLrZVqboJ018dvX1tvKr8fy7SR", "6TLsXCjsdIRapiVFFW8QLq/Jpyz84bgt", "zAmlDcFiMH2BzqHdfrG10w==", "80byQOwlybg5jSU=", "7+wUCuhxEmJpdn22IQ==", "2BtALhSuf7+qDZLEoxy5YDqSQ7Y=", "Sl3pWETqy+UJZw==", "5O597tysPrbdIcfwRTbC6zqSQ7Y=", "jLnMq5lBKkZChXBmO5s=", "kYuyrH0QySmG5nu1XpW42Q==", "AVBMJBLacrg5jSU=", "A3EiigAN5iQV", "F/sA6K0zGK38TcjqqZf6a/EO", "mO3ly4UvKJ/lKazOfrG10w==", "g5r8xzg9f6x0bHBmO5s=", "/iOw+dqWvwIJZTvwt5b2X+QE", "VpOyflNVFjEf", "GXQWhGozhjmnBet72T7lWsEQ8w==", "rdYUAOqoZ7nfIslcROQt2fE=", "X2RvVx7e62F4x5E4CnV6WsEQ8w==", "0yCtNg7Wcrg5jSU=", "mbPTqHUVyhQpm3BmO5s=", "+kM7JyLOqy5x0YEX4FFtWsEQ8w==", "zzzpWjjD3j6BlWuc/uL7qEOX+qaI", "txIhBcxwTa3+XYzyzJUw2w==", "UVf1TAGb+4XmRb/87Vn5I6DHK9Gb", "NpNAvptlQJ8D2yU3Ft/6a/EO", "4w0O8uNWqzaZ6lNzR+Qt2fE=", "T0/XSzLua7BYvzw=", "AQCJ9bFtcX+S2KNXKQ==", "S6XAupU+A01SrXBmO5s=", "WJvBvpRANTlylxBBJRQj", "Roespn0fNnSis6FQ", "Zl5zgV8FJGthukV331t6WsEQ8w==", "yR+1GPuz6jBXvZc8CfH5tWXFZft+h3kl", "GEdYQw64y+UJZw==", "V1FZLCjxcvJZsZ5efrG10w==", "8xE8RCS8y+UJZw==", "gdDo2JE7Q8srfuoAw6z6a/EO", "ywKjBNd8tKn2FbvOfrG10w==", "MdAFl1EPS0heyzI=", "SZOLcznb1vDhGNuKX1F4F8r4lqQvvQ==", "8RIpGwG+nyBWdn22IQ==", "vxU/Ngu8y+UJZw==", "c5C7l14L4DFQdn22IQ==", "vAftT7Dd5+yadn22IQ==", "aLlEn2PsEmiis6FQ", "2yHKQhapTpn2LLNH", "vLhJvJ5k516vEb73TypG4pEfy7SR", "k+Hy17lycX+S2KNXKQ==", "0NHXxJo7WJqhGrDmvK36a/EO", "3tQjHQW5y+UJZw==", "Yu0MIIV4OYT2LLNH", "aK05uHh9U9cgfg=="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xdc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x66d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x58ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x92e9:$sqlite3step: 68 34 1C 7B E1 0x941c:$sqlite3step: 68 34 1C 7B E1 0x932b:$sqlite3text: 68 38 2A 90 C5 0x9473:$sqlite3text: 68 38 2A 90 C5 0x9342:$sqlite3blob: 68 53 D8 7F 8C 0x9495:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x55e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x957f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x156d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x914a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x148ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9e92:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x182e9:$sqlite3step: 68 34 1C 7B E1 0x1841c:$sqlite3step: 68 34 1C 7B E1 0x1832b:$sqlite3text: 68 38 2A 90 C5 0x18473:$sqlite3text: 68 38 2A 90 C5 0x18342:$sqlite3blob: 68 53 D8 7F 8C 0x18495:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1dc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa57f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x166d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa14a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x158ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xae92:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x192e9:$sqlite3step: 68 34 1C 7B E1 0x1941c:$sqlite3step: 68 34 1C 7B E1 0x1932b:$sqlite3text: 68 38 2A 90 C5 0x19473:$sqlite3text: 68 38 2A 90 C5 0x19342:$sqlite3blob: 68 53 D8 7F 8C 0x19495:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35319:$a1: 3C 30 50 4F 53 54 74 09 40 0x61739:$a1: 3C 30 50 4F 53 54 74 09 40 0x8cb59:$a1: 3C 30 50 4F 53 54 74 09 40 0x4c978:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78d98:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa41b8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x392b7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x656d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x90af7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x45b5f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71f7f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x9d39f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4595d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71d7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9d19d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x45409:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71829:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9cc49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x45a5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71e7f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9d29f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x45bd7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71ff7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9d417:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x38e82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x652a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x906c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x44624:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x70a44:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9be64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x39bca:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x65fea:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9140a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x48021:$sqlite3step: 68 34 1C 7B E1 0x48154:$sqlite3step: 68 34 1C 7B E1 0x74441:$sqlite3step: 68 34 1C 7B E1 0x74574:$sqlite3step: 68 34 1C 7B E1 0x9f861:$sqlite3step: 68 34 1C 7B E1 0x9f994:$sqlite3step: 68 34 1C 7B E1 0x48063:$sqlite3text: 68 38 2A 90 C5 0x481ab:$sqlite3text: 68 38 2A 90 C5 0x74483:$sqlite3text: 68 38 2A 90 C5 0x745cb:$sqlite3text: 68 38 2A 90 C5 0x9f8a3:$sqlite3text: 68 38 2A 90 C5 0x9f9eb:$sqlite3text: 68 38 2A 90 C5 0x4807a:$sqlite3blob: 68 53 D8 7F 8C 0x481cd:$sqlite3blob: 68 53 D8 7F 8C 0x7449a:$sqlite3blob: 68 53 D8 7F 8C 0x745ed:$sqlite3blob: 68 53 D8 7F 8C 0x9f8ba:$sqlite3blob: 68 53 D8 7F 8C 0x9fa0d:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1dc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa57f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x166d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa14a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x158ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xae92:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x192e9:$sqlite3step: 68 34 1C 7B E1 0x1941c:$sqlite3step: 68 34 1C 7B E1 0x1932b:$sqlite3text: 68 38 2A 90 C5 0x19473:$sqlite3text: 68 38 2A 90 C5 0x19342:$sqlite3blob: 68 53 D8 7F 8C 0x19495:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xdc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x66d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x58ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x92e9:$sqlite3step: 68 34 1C 7B E1 0x941c:$sqlite3step: 68 34 1C 7B E1 0x932b:$sqlite3text: 68 38 2A 90 C5 0x9473:$sqlite3text: 68 38 2A 90 C5 0x9342:$sqlite3blob: 68 53 D8 7F 8C 0x9495:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1dc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa57f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x166d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa14a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x158ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xae92:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x192e9:$sqlite3step: 68 34 1C 7B E1 0x1941c:$sqlite3step: 68 34 1C 7B E1 0x1932b:$sqlite3text: 68 38 2A 90 C5 0x19473:$sqlite3text: 68 38 2A 90 C5 0x19342:$sqlite3blob: 68 53 D8 7F 8C 0x19495:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x937a4:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x932c3:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 5260	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6423a:$a1: 3C 30 50 4F 53 54 74 09 40 0x12025d:$a1: 3C 30 50 4F 53 54 74 09 40 0x14922a:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x57e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ce40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x977f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16027:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15e25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x158d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15f27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1609f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x934a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14aec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa092:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ba97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cbaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x184e9:$sqlite3step: 68 34 1C 7B E1 0x1861c:$sqlite3step: 68 34 1C 7B E1 0x1852b:$sqlite3text: 68 38 2A 90 C5 0x18673:$sqlite3text: 68 38 2A 90 C5 0x18542:$sqlite3blob: 68 53 D8 7F 8C 0x18695:$sqlite3blob: 68 53 D8 7F 8C
15.2.NETSTAT.EXE.3a67a24.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.d10000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x34801:$a1: 3C 30 50 4F 53 54 74 09 40 0x60c21:$a1: 3C 30 50 4F 53 54 74 09 40 0x8c041:$a1: 3C 30 50 4F 53 54 74 09 40 0x4be60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78280:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa36a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3879f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x64bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8ffdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x45047:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71467:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x9c887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x44e45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71265:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9c685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x448f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x70d11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9c131:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44f47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71367:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9c787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x450bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x714df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c8ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6478a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8fbaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x43b0c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x6ff2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b34c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x390b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x654d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x908f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x47509:$sqlite3step: 68 34 1C 7B E1 0x4763c:$sqlite3step: 68 34 1C 7B E1 0x73929:$sqlite3step: 68 34 1C 7B E1 0x73a5c:$sqlite3step: 68 34 1C 7B E1 0x9ed49:$sqlite3step: 68 34 1C 7B E1 0x9ee7c:$sqlite3step: 68 34 1C 7B E1 0x4754b:$sqlite3text: 68 38 2A 90 C5 0x47693:$sqlite3text: 68 38 2A 90 C5 0x7396b:$sqlite3text: 68 38 2A 90 C5 0x73ab3:$sqlite3text: 68 38 2A 90 C5 0x9ed8b:$sqlite3text: 68 38 2A 90 C5 0x9eed3:$sqlite3text: 68 38 2A 90 C5 0x47562:$sqlite3blob: 68 53 D8 7F 8C 0x476b5:$sqlite3blob: 68 53 D8 7F 8C 0x73982:$sqlite3blob: 68 53 D8 7F 8C 0x73ad5:$sqlite3blob: 68 53 D8 7F 8C 0x9eda2:$sqlite3blob: 68 53 D8 7F 8C 0x9eef5:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Virustotal: Detection: 40%			Perma Link
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	ReversingLabs: Detection: 46%

Yara detected FormBook

Source: Yara match	File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.classicpretty.com/qkkr/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Joe Sandbox ML: detected

Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.classicpretty.com/qkkr/"], "decoy": ["7gCdEvi4PU1csVn41UdG95Ufy7SR", "3/kS/9ZgObTlShULwBM8", "UmkOiGYioBlRs12D06oGbv8X", "JHVcqPzZQM4=", "597t26RTZoSV64ak89Q0kUqhiRWZ", "EGeQhlYOeLg5jSU=", "uPMS7r10aXmis6FQ", "bBxVPrS1SNM=", "TGkjh14+21mDz2aAy6gGbv8X", "Jm3QiEjsOJLnDPGK/GhezP9J+w==", "nqvLrZVqboJ018dvX1tvKr8fy7SR", "6TLsXCjsdIRapiVFFW8QLq/Jpyz84bgt", "zAmlDcFiMH2BzqHdfrG10w==", "80byQOwlybg5jSU=", "7+wUCuhxEmJpdn22IQ==", "2BtALhSuf7+qDZLEoxy5YDqSQ7Y=", "Sl3pWETqy+UJZw==", "5O597tysPrbdIcfwRTbC6zqSQ7Y=", "jLnMq5lBKkZChXBmO5s=", "kYuyrH0QySmG5nu1XpW42Q==", "AVBMJBLacrg5jSU=", "A3EiigAN5iQV", "F/sA6K0zGK38TcjqqZf6a/EO", "mO3ly4UvKJ/lKazOfrG10w==", "g5r8xzg9f6x0bHBmO5s=", "/iOw+dqWvwIJZTvwt5b2X+QE", "VpOyflNVFjEf", "GXQWhGozhjmnBet72T7lWsEQ8w==", "rdYUAOqoZ7nfIslcROQt2fE=", "X2RvVx7e62F4x5E4CnV6WsEQ8w==", "0yCtNg7Wcrg5jSU=", "mbPTqHUVyhQpm3BmO5s=", "+kM7JyLOqy5x0YEX4FFtWsEQ8w==", "zzzpWjjD3j6BlWuc/uL7qEOX+qaI", "txIhBcxwTa3+XYzyzJUw2w==", "UVf1TAGb+4XmRb/87Vn5I6DHK9Gb", "NpNAvptlQJ8D2yU3Ft/6a/EO", "4w0O8uNWqzaZ6lNzR+Qt2fE=", "T0/XSzLua7BYvzw=", "AQCJ9bFtcX+S2KNXKQ==", "S6XAupU+A01SrXBmO5s=", "WJvBvpRANTlylxBBJRQj", "Roespn0fNnSis6FQ", "Zl5zgV8FJGthukV331t6WsEQ8w==", "yR+1GPuz6jBXvZc8CfH5tWXFZft+h3kl", "GEdYQw64y+UJZw==", "V1FZLCjxcvJZsZ5efrG10w==", "8xE8RCS8y+UJZw==", "gdDo2JE7Q8srfuoAw6z6a/EO", "ywKjBNd8tKn2FbvOfrG10w==", "MdAFl1EPS0heyzI=", "SZOLcznb1vDhGNuKX1F4F8r4lqQvvQ==", "8RIpGwG+nyBWdn22IQ==", "vxU/Ngu8y+UJZw==", "c5C7l14L4DFQdn22IQ==", "vAftT7Dd5+yadn22IQ==", "aLlEn2PsEmiis6FQ", "2yHKQhapTpn2LLNH", "vLhJvJ5k516vEb73TypG4pEfy7SR", "k+Hy17lycX+S2KNXKQ==", "0NHXxJo7WJqhGrDmvK36a/EO", "3tQjHQW5y+UJZw==", "Yu0MIIV4OYT2LLNH", "aK05uHh9U9cgfg=="]}

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Yara detected Generic Downloader

Source: Yara match	File source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, type: SAMPLE
Source: Yara match	File source: 15.2.NETSTAT.EXE.3a67a24.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.d10000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.classicpretty.com/qkkr/

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	String found in binary or memory: http://boards.4chan.org/b/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	String found in binary or memory: http://boards.4chan.org3Retrieving
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	String found in binary or memory: http://images.4chan.org/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.thesnapnsipbottle.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 0_2_01803DC4	0_2_01803DC4
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 0_2_01808458	0_2_01808458
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B0D20	6_2_012B0D20
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BF900	6_2_012BF900
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01381D55	6_2_01381D55
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2581	6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CD5E0	6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C841F	6_2_012C841F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371002	6_2_01371002
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CB090	6_2_012CB090
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EEBB0	6_2_012EEBB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D6E30	6_2_012D6E30

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Code function: String function: 012BB150 appears 35 times

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_012F9910
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9540 NtReadFile,LdrInitializeThunk,	6_2_012F9540
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F99A0 NtCreateSection,LdrInitializeThunk,	6_2_012F99A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F95D0 NtClose,LdrInitializeThunk,	6_2_012F95D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_012F9860
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9840 NtDelayExecution,LdrInitializeThunk,	6_2_012F9840
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F98F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_012F98F0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_012F9710
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F97A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_012F97A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_012F9780
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_012F9FE0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9A20 NtResumeThread,LdrInitializeThunk,	6_2_012F9A20
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_012F9A00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_012F9660
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9A50 NtCreateFile,LdrInitializeThunk,	6_2_012F9A50
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_012F96E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9520 NtWaitForSingleObject,	6_2_012F9520
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012FAD30 NtSetContextThread,	6_2_012FAD30
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9560 NtWriteFile,	6_2_012F9560
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9950 NtQueueApcThread,	6_2_012F9950
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F95F0 NtQueryInformationFile,	6_2_012F95F0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F99D0 NtCreateProcessEx,	6_2_012F99D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9820 NtEnumerateKey,	6_2_012F9820
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012FB040 NtSuspendThread,	6_2_012FB040
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F98A0 NtWriteVirtualMemory,	6_2_012F98A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9730 NtQueryVirtualMemory,	6_2_012F9730
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9B00 NtSetValueKey,	6_2_012F9B00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012FA710 NtOpenProcessToken,	6_2_012FA710
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9760 NtOpenProcess,	6_2_012F9760
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9770 NtSetInformationFile,	6_2_012F9770
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012FA770 NtOpenThread,	6_2_012FA770
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012FA3B0 NtGetContextThread,	6_2_012FA3B0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9A10 NtQuerySection,	6_2_012F9A10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9610 NtEnumerateValueKey,	6_2_012F9610
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9670 NtQueryInformationProcess,	6_2_012F9670
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9650 NtQueryValueKey,	6_2_012F9650
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F9A80 NtOpenDirectoryObject,	6_2_012F9A80
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F96D0 NtCreateKey,	6_2_012F96D0

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491093664.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491770747.0000000007A10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.468118041.000000000333C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000000.415017725.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.487937932.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.451204538.00000000076F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.465937869.0000000001217000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Binary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Virustotal: Detection: 40%
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	ReversingLabs: Detection: 46%

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe "C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe"
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@1/0

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.cs

.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Code function: 6_2_0130D0D1 push ecx; ret

6_2_0130D0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.5981105192888725

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\NETSTAT.EXE

File deleted: c:\users\user\desktop\swift transfer (103) __037rtg2050822156____pdf__.exe

Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 5792	Thread sleep time: -45877s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 2884	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Code function: 6_2_012F6DE6 rdtsc

6_2_012F6DE6

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

API coverage: 5.9 %

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Thread delayed: delay time: 45877			Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.509018964.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.456658745.0000000007970000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: >bHgfs
Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.545591194.0000000006915000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.554256507.00000000080B1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Code function: 6_2_012F6DE6 rdtsc

6_2_012F6DE6

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0133A537 mov eax, dword ptr fs:[00000030h]	6_2_0133A537
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388D34 mov eax, dword ptr fs:[00000030h]	6_2_01388D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D4120 mov ecx, dword ptr fs:[00000030h]	6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E513A mov eax, dword ptr fs:[00000030h]	6_2_012E513A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E513A mov eax, dword ptr fs:[00000030h]	6_2_012E513A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]	6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]	6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]	6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]	6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BAD30 mov eax, dword ptr fs:[00000030h]	6_2_012BAD30
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]	6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]	6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]	6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BC962 mov eax, dword ptr fs:[00000030h]	6_2_012BC962
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h]	6_2_012BB171
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h]	6_2_012BB171
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h]	6_2_012DC577
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h]	6_2_012DC577
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h]	6_2_012DB944
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h]	6_2_012DB944
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F3D43 mov eax, dword ptr fs:[00000030h]	6_2_012F3D43
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01333540 mov eax, dword ptr fs:[00000030h]	6_2_01333540
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D7D50 mov eax, dword ptr fs:[00000030h]	6_2_012D7D50
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]	6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]	6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]	6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]	6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h]	6_2_012E61A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h]	6_2_012E61A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E35A1 mov eax, dword ptr fs:[00000030h]	6_2_012E35A1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013805AC mov eax, dword ptr fs:[00000030h]	6_2_013805AC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013805AC mov eax, dword ptr fs:[00000030h]	6_2_013805AC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013369A6 mov eax, dword ptr fs:[00000030h]	6_2_013369A6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]	6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]	6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]	6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]	6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]	6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]	6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]	6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]	6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA185 mov eax, dword ptr fs:[00000030h]	6_2_012EA185
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DC182 mov eax, dword ptr fs:[00000030h]	6_2_012DC182
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]	6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]	6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]	6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]	6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h]	6_2_012EFD9B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h]	6_2_012EFD9B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2990 mov eax, dword ptr fs:[00000030h]	6_2_012E2990
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01368DF1 mov eax, dword ptr fs:[00000030h]	6_2_01368DF1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]	6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]	6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]	6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h]	6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h]	6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013441E8 mov eax, dword ptr fs:[00000030h]	6_2_013441E8
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov ecx, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]	6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EBC2C mov eax, dword ptr fs:[00000030h]	6_2_012EBC2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]	6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]	6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]	6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]	6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]	6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]	6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]	6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]	6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]	6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]	6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]	6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]	6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01384015 mov eax, dword ptr fs:[00000030h]	6_2_01384015
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01384015 mov eax, dword ptr fs:[00000030h]	6_2_01384015
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]	6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]	6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]	6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]	6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]	6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]	6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]	6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]	6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D746D mov eax, dword ptr fs:[00000030h]	6_2_012D746D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01372073 mov eax, dword ptr fs:[00000030h]	6_2_01372073
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01381074 mov eax, dword ptr fs:[00000030h]	6_2_01381074
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h]	6_2_0134C450
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h]	6_2_0134C450
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA44B mov eax, dword ptr fs:[00000030h]	6_2_012EA44B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h]	6_2_012D0050
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h]	6_2_012D0050
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F90AF mov eax, dword ptr fs:[00000030h]	6_2_012F90AF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]	6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EF0BF mov ecx, dword ptr fs:[00000030h]	6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h]	6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h]	6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9080 mov eax, dword ptr fs:[00000030h]	6_2_012B9080
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01333884 mov eax, dword ptr fs:[00000030h]	6_2_01333884
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01333884 mov eax, dword ptr fs:[00000030h]	6_2_01333884
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C849B mov eax, dword ptr fs:[00000030h]	6_2_012C849B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]	6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]	6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]	6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B58EC mov eax, dword ptr fs:[00000030h]	6_2_012B58EC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013714FB mov eax, dword ptr fs:[00000030h]	6_2_013714FB
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388CD6 mov eax, dword ptr fs:[00000030h]	6_2_01388CD6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h]	6_2_012B4F2E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h]	6_2_012B4F2E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EE730 mov eax, dword ptr fs:[00000030h]	6_2_012EE730
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h]	6_2_012EA70E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h]	6_2_012EA70E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h]	6_2_0134FF10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h]	6_2_0134FF10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0137131B mov eax, dword ptr fs:[00000030h]	6_2_0137131B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0138070D mov eax, dword ptr fs:[00000030h]	6_2_0138070D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0138070D mov eax, dword ptr fs:[00000030h]	6_2_0138070D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DF716 mov eax, dword ptr fs:[00000030h]	6_2_012DF716
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BDB60 mov ecx, dword ptr fs:[00000030h]	6_2_012BDB60
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CFF60 mov eax, dword ptr fs:[00000030h]	6_2_012CFF60
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388F6A mov eax, dword ptr fs:[00000030h]	6_2_01388F6A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h]	6_2_012E3B7A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h]	6_2_012E3B7A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388B58 mov eax, dword ptr fs:[00000030h]	6_2_01388B58
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BDB40 mov eax, dword ptr fs:[00000030h]	6_2_012BDB40
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CEF40 mov eax, dword ptr fs:[00000030h]	6_2_012CEF40
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BF358 mov eax, dword ptr fs:[00000030h]	6_2_012BF358
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]	6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]	6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]	6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01385BA5 mov eax, dword ptr fs:[00000030h]	6_2_01385BA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h]	6_2_012C1B8F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h]	6_2_012C1B8F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]	6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]	6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]	6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0136D380 mov ecx, dword ptr fs:[00000030h]	6_2_0136D380
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C8794 mov eax, dword ptr fs:[00000030h]	6_2_012C8794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2397 mov eax, dword ptr fs:[00000030h]	6_2_012E2397
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0137138A mov eax, dword ptr fs:[00000030h]	6_2_0137138A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EB390 mov eax, dword ptr fs:[00000030h]	6_2_012EB390
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DDBE9 mov eax, dword ptr fs:[00000030h]	6_2_012DDBE9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]	6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F37F5 mov eax, dword ptr fs:[00000030h]	6_2_012F37F5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013353CA mov eax, dword ptr fs:[00000030h]	6_2_013353CA
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013353CA mov eax, dword ptr fs:[00000030h]	6_2_013353CA
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h]	6_2_012F4A2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h]	6_2_012F4A2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0136FE3F mov eax, dword ptr fs:[00000030h]	6_2_0136FE3F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BE620 mov eax, dword ptr fs:[00000030h]	6_2_012BE620
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C8A0A mov eax, dword ptr fs:[00000030h]	6_2_012C8A0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]	6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]	6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]	6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E8E00 mov eax, dword ptr fs:[00000030h]	6_2_012E8E00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012D3A1C mov eax, dword ptr fs:[00000030h]	6_2_012D3A1C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h]	6_2_012EA61C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h]	6_2_012EA61C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]	6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B5210 mov ecx, dword ptr fs:[00000030h]	6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]	6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]	6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h]	6_2_012BAA16
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h]	6_2_012BAA16
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C766D mov eax, dword ptr fs:[00000030h]	6_2_012C766D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F927A mov eax, dword ptr fs:[00000030h]	6_2_012F927A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h]	6_2_0136B260
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h]	6_2_0136B260
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388A62 mov eax, dword ptr fs:[00000030h]	6_2_01388A62
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]	6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]	6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]	6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]	6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]	6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01344257 mov eax, dword ptr fs:[00000030h]	6_2_01344257
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]	6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]	6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]	6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]	6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]	6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]	6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]	6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]	6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]	6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]	6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_013346A7 mov eax, dword ptr fs:[00000030h]	6_2_013346A7
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h]	6_2_012CAAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h]	6_2_012CAAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]	6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]	6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]	6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012EFAB0 mov eax, dword ptr fs:[00000030h]	6_2_012EFAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0134FE87 mov eax, dword ptr fs:[00000030h]	6_2_0134FE87
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h]	6_2_012ED294
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h]	6_2_012ED294
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2AE4 mov eax, dword ptr fs:[00000030h]	6_2_012E2AE4
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E16E0 mov ecx, dword ptr fs:[00000030h]	6_2_012E16E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012C76E2 mov eax, dword ptr fs:[00000030h]	6_2_012C76E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E36CC mov eax, dword ptr fs:[00000030h]	6_2_012E36CC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012E2ACB mov eax, dword ptr fs:[00000030h]	6_2_012E2ACB
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_012F8EC7 mov eax, dword ptr fs:[00000030h]	6_2_012F8EC7
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_01388ED6 mov eax, dword ptr fs:[00000030h]	6_2_01388ED6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Code function: 6_2_0136FEC0 mov eax, dword ptr fs:[00000030h]	6_2_0136FEC0

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Code function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,

6_2_012F9910

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 90000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Memory written: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Thread register set: target process: 684			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 684			Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Jump to behavior

Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.497150687.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.597068063.0000000006100000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.586731988.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Connections Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	40%	Virustotal		Browse
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	46%	ReversingLabs	Win32.Spyware.Noon
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
shops.myshopify.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
www.classicpretty.com/qkkr/	1%	Virustotal		Browse
www.classicpretty.com/qkkr/	100%	Avira URL Cloud	malware
http://boards.4chan.org3Retrieving	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
www.thesnapnsipbottle.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.classicpretty.com/qkkr/	true	1%, Virustotal, Browse Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://boards.4chan.org/b/	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	false		high
http://www.fontbureau.com/designers?	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://boards.4chan.org3Retrieving	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.4chan.org/	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe	false		high
http://www.urwpp.deDPlease	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680484
Start date and time: 08/08/202217:21:01	2022-08-08 17:21:01 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@1/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 91.8% (good quality ratio 78.4%) Quality average: 70.5% Quality standard deviation: 34.4%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 143
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.152.110.14, 20.54.89.106, 20.223.24.244
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:22:25	API Interceptor	1x Sleep call for process: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
shops.myshopify.com	Sat#U0131n Alma Emri Metak_JJO-003, PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Sample Order_png.vbs	Get hash	malicious	Browse	23.227.38.74
	vbc.exe	Get hash	malicious	Browse	23.227.38.74
	PAYMENT COPY.exe	Get hash	malicious	Browse	23.227.38.74
	https://www.amberjack.shop	Get hash	malicious	Browse	23.227.38.74
	PAYMENT COPY.exe	Get hash	malicious	Browse	23.227.38.74
	Sipari#U015f Metak_WJO-001,pdf.exe	Get hash	malicious	Browse	23.227.38.74
	2kYemccxJ5.exe	Get hash	malicious	Browse	23.227.38.74
	Sipari#U015f Metak_WJO-001, pdf.exe	Get hash	malicious	Browse	23.227.38.74
	C0kXpdDmus.exe	Get hash	malicious	Browse	23.227.38.74
	TNT_AWB_AND_INVOICE_06859.exe	Get hash	malicious	Browse	23.227.38.74
	C2q1GGrExJ.exe	Get hash	malicious	Browse	23.227.38.74
	TNT_AWB_AND_INVOICE_06859.exe	Get hash	malicious	Browse	23.227.38.74
	Doc20220725388256354782.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Trojan.Win32.Tnega.KAU.MTB.32429.exe	Get hash	malicious	Browse	23.227.38.74
	INV_GHHR0098_DSE.exe	Get hash	malicious	Browse	23.227.38.74
	TNT_e-invoice_N0.11073490.exe	Get hash	malicious	Browse	23.227.38.74
	FANCourier_RO_46674388484X5WCqDqiGRAe.exe	Get hash	malicious	Browse	23.227.38.74
	Bileddet.exe	Get hash	malicious	Browse	23.227.38.74
	0NoB6NOrRp.exe	Get hash	malicious	Browse	23.227.38.74

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) 037RTG2050822156Pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.461302452992026
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
File size:	988160
MD5:	47b96215204bad8db8ce43a4685ee74c
SHA1:	6b5af0c13af653e5347e1b5e6a7f3bbecee257d5
SHA256:	613edebe9f20eff6958bc447fa000388c1b986e1cdb76930ca061d2c92fe952c
SHA512:	b52c7e468cce2953a3d4880d1b2f8dc147147c8311c6f79b6bd766b67b7f4a1b28f34498bc02341cdcac0a735ecf8d6e78e495991780aa0d72f2acfe4f30f47e
SSDEEP:	24576:n6n08/X7tViZ4mMvQQdC6BTe9IbUDHDlF:n6n08/X7tM4m+QQb7UT
TLSH:	86259D07AFA43705E4B75BB9DD5B686183F27809717EE3782E905C9B2DFA301D80162B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.b..............0..:...........E... ...`....@.. .......................`............@................................

File Icon


Icon Hash:	c68ce86ecc8c8ac8

Static PE Info

General

Entrypoint:	0x4e45e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F072E8 [Mon Aug 8 02:20:24 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
mov bh, 1Dh
rol dword ptr [esi+ebp*2], 3Bh
or byte ptr [ecx], FFFFFFD9h
inc ebx
or eax, 130476DCh
imul ebp, dword ptr [ebx-3Bh], 17h
mov dl, 4Dh
xchg byte ptr [edx], bl
add eax, B81E4750h
in eax, dx
or byte ptr [esi], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4594	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0xd4bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe3964	0xe3a00	False	0.7369566429846238	data	7.5981105192888725	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0xd4bc	0xd600	False	0.27655884929906543	data	3.7576742623203367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe6128	0x94a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xef5e0	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xf1b98	0x10a8	data
RT_ICON	0xf2c50	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xf30c8	0x3e	data
RT_VERSION	0xf3118	0x3a0	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 17:24:22.907291889 CEST	63301	53	192.168.2.5	8.8.8.8
Aug 8, 2022 17:24:22.943212032 CEST	53	63301	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 17:24:22.907291889 CEST	192.168.2.5	8.8.8.8	0xa5c5	Standard query (0)	www.thesnapnsipbottle.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 17:24:22.943212032 CEST	8.8.8.8	192.168.2.5	0xa5c5	No error (0)	www.thesnapnsipbottle.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 17:24:22.943212032 CEST	8.8.8.8	192.168.2.5	0xa5c5	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5860, Parent PID: 5696

General

Target ID:	0
Start time:	17:22:06
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe"
Imagebase:	0xd10000
File size:	988160 bytes
MD5 hash:	47B96215204BAD8DB8CE43A4685EE74C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5032, Parent PID: 5860

General

Target ID:	6
Start time:	17:22:27
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Imagebase:	0x850000
File size:	988160 bytes
MD5 hash:	47B96215204BAD8DB8CE43A4685EE74C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 684, Parent PID: 5032

General

Target ID:	7
Start time:	17:22:33
Start date:	08/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 5260, Parent PID: 684

General

Target ID:	15
Start time:	17:23:44
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x90000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5860, Parent PID: 5696COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	69
Total number of Limit Nodes:	4

Executed Functions

Function 01803DC4 Relevance: 10.7, Strings: 8, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%rl, xrefs: 01808B81
$%rl, xrefs: 01808860
$%rl, xrefs: 01808CA7
$%rl, xrefs: 01808A45
$%rl, xrefs: 01808C14
$%rl, xrefs: 0180899C
$%rl, xrefs: 018088F3
$%rl, xrefs: 01808AEE

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: $%rl$$%rl$$%rl$$%rl$$%rl$$%rl$$%rl$$%rl
API String ID: 0-602853459
Opcode ID: 3022c08e13881474b879ed8f0932e889de20795880f06061423b8c8edf769a2a
Instruction ID: 5c916f6e01f00abec69148854256a18c5cfd4681cf3293bd1df8c056a9f947b0
Opcode Fuzzy Hash: 3022c08e13881474b879ed8f0932e889de20795880f06061423b8c8edf769a2a
Instruction Fuzzy Hash: 2B620834A01209CFCB55EFA8C994A9DB3B2FF89304F1181A9D509AB354DB35AE89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01808458 Relevance: 10.7, Strings: 8, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%rl, xrefs: 01808B81
$%rl, xrefs: 01808860
$%rl, xrefs: 01808CA7
$%rl, xrefs: 01808A45
$%rl, xrefs: 01808C14
$%rl, xrefs: 0180899C
$%rl, xrefs: 018088F3
$%rl, xrefs: 01808AEE

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: $%rl$$%rl$$%rl$$%rl$$%rl$$%rl$$%rl$$%rl
API String ID: 0-602853459
Opcode ID: 9c7ace6ac8fcbdd548399abeef9485251911976210805a58c340f4afe768f707
Instruction ID: 91c44fc3513f400041dd98b3a86832428a86f4a76aab81e4670b8e6d69d8710b
Opcode Fuzzy Hash: 9c7ace6ac8fcbdd548399abeef9485251911976210805a58c340f4afe768f707
Instruction Fuzzy Hash: 83620834A01209CFCB55DFA8C994ADDB3B2FF8A300F1181A9D509AB354DB35AE89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0180550C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018055C9

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 055b099df19239a673e1d15e97bdb6aaea881a3c791c442f968633401b557c5c
Instruction ID: 5c16cced29c7781030b62d88919779d33cbd907c5ba6b60069549bc24d06e577
Opcode Fuzzy Hash: 055b099df19239a673e1d15e97bdb6aaea881a3c791c442f968633401b557c5c
Instruction Fuzzy Hash: 5141F2B1C0021CCFDB25CF99C888BDDBBB1BF49314F10845AD519AB291DB756986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01803F84 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018055C9

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5b3d74d174e81162ffcb4c93a88a7f5ab3c9126d9c1f2ae552c7b84c358fbe6f
Instruction ID: babcdd2dfa9f6e3631e5aa457d03b941b20d9cddc45db40ff84ee5879e8fb31a
Opcode Fuzzy Hash: 5b3d74d174e81162ffcb4c93a88a7f5ab3c9126d9c1f2ae552c7b84c358fbe6f
Instruction Fuzzy Hash: 5A4102B0C0035CCFDB24CFA9C888B9DBBB1BF48314F148059D509AB291DB755985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0180BEE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0180DF5E,?,?,?,?,?), ref: 0180E01F

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7dec67a2812384f958843edba25aae7e7dd4dfc9bf463d448484ad2310aa9b03
Instruction ID: 63f15aa2619e7256aab28f1f143853668396b7000596aae424e44a4e641517a3
Opcode Fuzzy Hash: 7dec67a2812384f958843edba25aae7e7dd4dfc9bf463d448484ad2310aa9b03
Instruction Fuzzy Hash: 7221E4B5901248AFDB10CFA9D984ADEFBF8FB49324F14841AE914A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180BB58 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0180C031,00000800,00000000,00000000), ref: 0180C242

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b5968ce0f00b8ba1c6636b7f8fc44602f8c84d8baca8d7cd11de7abb37e616d
Instruction ID: b5e75ec0b9277dc33e1ad44f2490b23a5425d976d97fd6f7797bf18f3129fa43
Opcode Fuzzy Hash: 4b5968ce0f00b8ba1c6636b7f8fc44602f8c84d8baca8d7cd11de7abb37e616d
Instruction Fuzzy Hash: 651156B68003488FDB10CF9AC848BDEFBF4EB88324F04812EE519A7640C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180BF50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0180BFB6

Memory Dump Source

Source File: 00000000.00000002.464727639.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5b8311375a7139b69f8bde3a01a2faa904e67d4a78bb25786472ee7da1381aab
Instruction ID: b9aaa4c38a804cb58b8e69d1f91d0fd9f92b11ec79f4b5c2ab56ee8831671f5e
Opcode Fuzzy Hash: 5b8311375a7139b69f8bde3a01a2faa904e67d4a78bb25786472ee7da1381aab
Instruction Fuzzy Hash: 98110FB6C002498FDB20CF9AC844BDEFBF4AB89324F10841AD429A7240C379A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AD400 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12625a204ef4be65d7f091976d1c7c544d805664d0bf286f08c129e37b0f1d4e
Instruction ID: 2439fedcebd117560094cf520ed6c10b4fe908e38162bc53c544eddd1fb6828c
Opcode Fuzzy Hash: 12625a204ef4be65d7f091976d1c7c544d805664d0bf286f08c129e37b0f1d4e
Instruction Fuzzy Hash: 822163B1904200DFDB01DF54D8C0B67BF61FBA8324F65C57AE9050B726C33AE806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AD4EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc9d5f1e5b47bf5c5eb7bcfc52695319be4dcf5c46d5b56d5d7378d2cde1fb2
Instruction ID: b732a22c94e11513196f99e3122dc8a9d8406196f09f3d4eaafec14789b9ddec
Opcode Fuzzy Hash: ccc9d5f1e5b47bf5c5eb7bcfc52695319be4dcf5c46d5b56d5d7378d2cde1fb2
Instruction Fuzzy Hash: 582148B1904200DFDB05DF94D9C4B27BF61FBA8328F65856AE9454B717C336D806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.464013328.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c09988b0cbc0d6ea74e62ec49943d676abea423cca13b0ef6596d745f86efe
Instruction ID: 6fbeb5552b53a56536db7d65a89f3a31a51b2c0f3a43a511244012f94d8b3d7c
Opcode Fuzzy Hash: e9c09988b0cbc0d6ea74e62ec49943d676abea423cca13b0ef6596d745f86efe
Instruction Fuzzy Hash: 692106B1904240DFDB15CF54D9C4B56BBA1EB4426CF24C9AAD9094B356C33AD807CA71

Uniqueness

Uniqueness Score: -1.00%

Function 014BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.464013328.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06b8881476935a38083c057717bee3046f66dbca4f391636cd952131523df6e
Instruction ID: 26f45a1dcff5bc3884aeec390aae40048a0c1328d8869eeb24b4d63f0f45b0d4
Opcode Fuzzy Hash: e06b8881476935a38083c057717bee3046f66dbca4f391636cd952131523df6e
Instruction Fuzzy Hash: 8E21F5B1904284DFDB09DF94D9C4B66BBA5FB84328F24C9AED9094B352C336D846CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014BD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.464013328.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a408041ef906d69671b2b05c38317bf0f4988232e8bcb264879527e14eb07cd
Instruction ID: d8282ffa15cab68a2882c24b2c4f1324a5194f1ae3081bac940882ee416222fd
Opcode Fuzzy Hash: 0a408041ef906d69671b2b05c38317bf0f4988232e8bcb264879527e14eb07cd
Instruction Fuzzy Hash: 2F2180755093808FDB03CF24D9D4B56BF71EB46218F28C5DBD8498B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AD4E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
Instruction ID: ddab41370b3ff7565a61930f5efdf22df95c9a10f36405d3c92cea3c26690cfe
Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
Instruction Fuzzy Hash: B511AF76804280CFDB16CF54D9C4B16BF72FB98324F2486AAD8454B726C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AD3FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
Instruction ID: 301a58173f645df574d44e31343ab079fb13558022351f318311246b7d29deb2
Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
Instruction Fuzzy Hash: C2119D76804280DFDB12CF54D9C4B56BF61FB94324F2486AAD8450B626C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.464013328.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf8786c862224cd60d523cb0b0a650e3fc3fbcbae046b1466f7c261acfc7208
Instruction ID: 1529c29b32fd324749ab15dae6df68a32d52b32ab1b8b0e5a3c1cb0f18643676
Opcode Fuzzy Hash: 4cf8786c862224cd60d523cb0b0a650e3fc3fbcbae046b1466f7c261acfc7208
Instruction Fuzzy Hash: 3911BE75904280DFDB06CF54C5C4B56BF71FB84228F24C6AAD8494B766C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d45d07dabd1e90c59e1dd7e35e27f7def25095f13980544595348f9eb3fc4fb
Instruction ID: 2bdb70d5abd60e59600e20e216a3d3ab73169787f04eaee44c6f69a78830e97e
Opcode Fuzzy Hash: 8d45d07dabd1e90c59e1dd7e35e27f7def25095f13980544595348f9eb3fc4fb
Instruction Fuzzy Hash: BC017BB58083C49EE7144A6ACCC4B63FFE8EF21238F49841BEE040A796C3389440C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 014AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463942933.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505762af9f4aa4d20ae08f7537b05405c2abc34bfd86e5fe47f2fa3e67b27078
Instruction ID: 1588370ee0282af0ef292ee2cbcbf5f9943e1892f009143f97e584c18441de06
Opcode Fuzzy Hash: 505762af9f4aa4d20ae08f7537b05405c2abc34bfd86e5fe47f2fa3e67b27078
Instruction Fuzzy Hash: 7EF0F6754043849EE7258A5ACCC4B63FFA8EF51634F18C45BEE080B796C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5032, Parent PID: 5860COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	55.5%
Total number of Nodes:	1384
Total number of Limit Nodes:	82

Executed Functions

Function 012F9910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F991A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6321c4edb2cef8f551249dd80e5439124ff043c7d41721e6fc2b2989e31b59ce
Instruction ID: ccd3ee4d0ba156a11999ba14c2b794d645dee6ae3770728e0393aa6e1c4a20c9
Opcode Fuzzy Hash: 6321c4edb2cef8f551249dd80e5439124ff043c7d41721e6fc2b2989e31b59ce
Instruction Fuzzy Hash: F09002B520100402D541B1D944147460085A7D0345F51C021A5054558EC6D98DD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 012F9540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F954A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c774dd146bc7efba78a247e10804eddef3f9b50f1c65d2ede30fc74e447139db
Instruction ID: 4c18562d3e90e1a60fc3c5a319653d6804f437d8e155ca35c2017b3715e8a2e7
Opcode Fuzzy Hash: c774dd146bc7efba78a247e10804eddef3f9b50f1c65d2ede30fc74e447139db
Instruction Fuzzy Hash: D8900269211000034506E5D9071460700C6A7D5395351C031F1005554CD6A188656161

Uniqueness

Uniqueness Score: -1.00%

Function 012F99A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F99AA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b2d22ce649ac8fd86cadbac55c3690cdd98473b150c6292de0d19e8697dbe6b
Instruction ID: f3d3fb3f00c1749cd0c22c876e45877bcbf69b558b72ce2d7d07e38c80c943d6
Opcode Fuzzy Hash: 2b2d22ce649ac8fd86cadbac55c3690cdd98473b150c6292de0d19e8697dbe6b
Instruction Fuzzy Hash: C99002A534100442D501A1D94424B060085E7E1345F51C025E1054558DC699CC567166

Uniqueness

Uniqueness Score: -1.00%

Function 012F95D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F95DA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d8ce08e7e04714f9b8c3dc609dff46abc0895d62f1d510f575552e10b16fc1d
Instruction ID: ffad6d9b50916b273727acd1597b98d37b6bcc16f0a0ed23cec552332f832590
Opcode Fuzzy Hash: 0d8ce08e7e04714f9b8c3dc609dff46abc0895d62f1d510f575552e10b16fc1d
Instruction Fuzzy Hash: C79002A5202000038506B1D94424716408AA7E0245B51C031E1004594DC5A588957165

Uniqueness

Uniqueness Score: -1.00%

Function 012F9860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F986A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ec885865ad1e0b8c5a31028e4989566444e74cd1b01428494ccc082bf0dfcc
Instruction ID: fe0dbcc578f6aa4f96c4f3f06571acd7c2d7e5f3cd91bb279f4c9a4ae33c4ef3
Opcode Fuzzy Hash: 14ec885865ad1e0b8c5a31028e4989566444e74cd1b01428494ccc082bf0dfcc
Instruction Fuzzy Hash: AF90027520100413D512A1D945147070089A7D0285F91C422A041455CDD6D68956B161

Uniqueness

Uniqueness Score: -1.00%

Function 012F9840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F984A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb622e7baf28e95ffde133e87e7ffb36bd816851f94bfbdfbdfff5d9817cc1c1
Instruction ID: 3dec41918d595f383e2995396a062372676156f458716287302c051dce7b0e76
Opcode Fuzzy Hash: bb622e7baf28e95ffde133e87e7ffb36bd816851f94bfbdfbdfff5d9817cc1c1
Instruction Fuzzy Hash: 44900265242041529946F1D944146074086B7E0285791C022A1404954CC5A6985AE661

Uniqueness

Uniqueness Score: -1.00%

Function 012F98F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F98FA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38fa9aafecaa459469ab9fe972be9b099ff18d18e6841beedd549b0e90e49e81
Instruction ID: 58c8fbb315fcdd777798724478eebfcb9e4826ea7c121ace22152d52515cfca8
Opcode Fuzzy Hash: 38fa9aafecaa459469ab9fe972be9b099ff18d18e6841beedd549b0e90e49e81
Instruction Fuzzy Hash: C390026560100502D502B1D94414716008AA7D0285F91C032A1014559ECAA58996B171

Uniqueness

Uniqueness Score: -1.00%

Function 012F9710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F971A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7aa9089c3b7937ea88d4fdd3b6fc249f64a575d5d9e9a6c494907d942b6ebb93
Instruction ID: 2302cbb4c27daea668319c585f80bbf2a634210486d74df96737388ad165bed9
Opcode Fuzzy Hash: 7aa9089c3b7937ea88d4fdd3b6fc249f64a575d5d9e9a6c494907d942b6ebb93
Instruction Fuzzy Hash: B090027520100402D501A5D954187460085A7E0345F51D021A5014559EC6E588957171

Uniqueness

Uniqueness Score: -1.00%

Function 012F97A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F97AA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1eda9a4e826a1a7c6d39a2fbe717e60aaab9cf0cb4115a74d98b6204c4887d3b
Instruction ID: e342e04b409e9b8f8bd7b9d82fb4197e8a55e22f0750ae4309cffe2d8005b935
Opcode Fuzzy Hash: 1eda9a4e826a1a7c6d39a2fbe717e60aaab9cf0cb4115a74d98b6204c4887d3b
Instruction Fuzzy Hash: 9090026530100003D541B1D954287064085F7E1345F51D021E0404558CD995885A6262

Uniqueness

Uniqueness Score: -1.00%

Function 012F9780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F978A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 546a19eaa5c14e027e1b89e65deec94b9832ddd42065b093ecc166c9c19e2887
Instruction ID: 28d3dc455c1c157e7f8d7ba12510684240f259bc948d7b0f3175e91edaa25276
Opcode Fuzzy Hash: 546a19eaa5c14e027e1b89e65deec94b9832ddd42065b093ecc166c9c19e2887
Instruction Fuzzy Hash: F490026D21300002D581B1D9541870A0085A7D1246F91D425A000555CCC995886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 012F9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012F9FEA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e27d071b4fe0499ac805cc107147de8a6959c2e3b0a443967002ca59b05ce86d
Instruction ID: 11f7dd02f45f901ffd971f9eb42577386590a564452fcaf7cbcd8f1d7942ac7d
Opcode Fuzzy Hash: e27d071b4fe0499ac805cc107147de8a6959c2e3b0a443967002ca59b05ce86d
Instruction Fuzzy Hash: D590027531114402D511A1D984147060085A7D1245F51C421A081455CDC6D588957162

Uniqueness

Uniqueness Score: -1.00%

Function 012F9A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F9A2A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da9f5b346a20ab6c0dd93ca672789b4c8f24c2813ffb563eaeb000cce85c8db0
Instruction ID: c4f2720d2d0c03d56b9a633917dc5783cdbbd0494b0d64253eb6883f1c46d491
Opcode Fuzzy Hash: da9f5b346a20ab6c0dd93ca672789b4c8f24c2813ffb563eaeb000cce85c8db0
Instruction Fuzzy Hash: 0C900265601000428541B1E98854A064085BBE1255751C131A0988554DC5D9886966A5

Uniqueness

Uniqueness Score: -1.00%

Function 012F9A00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F9A0A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: addd56fd1e682223e21c166cdb3252585444025ebc2b7bb88cd706f37c333dc2
Instruction ID: 4273214fcfcd06009a4acd89a756ec319030257ab5d35520d53c4ea3cbef0748
Opcode Fuzzy Hash: addd56fd1e682223e21c166cdb3252585444025ebc2b7bb88cd706f37c333dc2
Instruction Fuzzy Hash: 0490027520140402D501A1D9482470B0085A7D0346F51C021A1154559DC6A5885575B1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F966A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da154100b3b9176f720c4e4614c1a1e636b5f120129d757569273f86cc9949db
Instruction ID: 5c54b2ee29a144e19e066eba7221f2d6ab7b71abe7fb25a4277d729b59edc933
Opcode Fuzzy Hash: da154100b3b9176f720c4e4614c1a1e636b5f120129d757569273f86cc9949db
Instruction Fuzzy Hash: 4490027520100802D581B1D9441474A0085A7D1345F91C025A0015658DCA958A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012F9A5A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2df7baaccd2d4da4a0ebb977b87ae834edf5bb3ffe72e87dcb3d8160b4fd763b
Instruction ID: 5541f9e093eaca49f2ab336a0a6a3c601e225e8e123d1b60a944c296ebd48ce6
Opcode Fuzzy Hash: 2df7baaccd2d4da4a0ebb977b87ae834edf5bb3ffe72e87dcb3d8160b4fd763b
Instruction Fuzzy Hash: E490026521180042D601A5E94C24B070085A7D0347F51C125A0144558CC99588656561

Uniqueness

Uniqueness Score: -1.00%

Function 012F96E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F96EA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58569633a8fcc4449debcf00dee6fadb87264c763878716c130a0bce0e46e939
Instruction ID: 8d31ffa9770bfa8ff26775ae6f2d618b555a923a29bb0099e1007dec22b9e5ad
Opcode Fuzzy Hash: 58569633a8fcc4449debcf00dee6fadb87264c763878716c130a0bce0e46e939
Instruction Fuzzy Hash: 7990027520108802D511A1D9841474A0085A7D0345F55C421A441465CDC6D588957161

Uniqueness

Uniqueness Score: -1.00%

Function 012F967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F9694

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aecf1e9dae90d7c2f17f846065269957695fbb1dd5693ec0370e85ddb33214e8
Instruction ID: f7e24fb6d4ffd1eb7620f13049403435e55d61e7abf2a2fb740758daf2a4d87b
Opcode Fuzzy Hash: aecf1e9dae90d7c2f17f846065269957695fbb1dd5693ec0370e85ddb33214e8
Instruction Fuzzy Hash: E7B09B719014C5C9DE12D7E54608B177A407BD0745F16C075E3020645B8778C0D5F5B5

Uniqueness

Uniqueness Score: -1.00%

Function 00420390 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.631235109.0000000000420000.00000040.00000400.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_420000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9125501b1dfacbad066012bd511793713bff92926284f7c29353dbce1d1e8b36
Instruction ID: 2a06448e111e3b603e12bed153a0e2548fd96d450e38f6ebe418f51a30c7a251
Opcode Fuzzy Hash: 9125501b1dfacbad066012bd511793713bff92926284f7c29353dbce1d1e8b36
Instruction Fuzzy Hash: B6C02B00FCD18E4B411132F52BB22D3FF5C084660AF0C02E69D8C066036D03006D86CA

Uniqueness

Uniqueness Score: -1.00%

Function 004203A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.631235109.0000000000420000.00000040.00000400.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_420000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def83cf0942b3be29e8a785fa4190a3b3ce910afda4e2365945ea52d22a77afe
Instruction ID: 31eed8ce10df270e44893fa611b8988500361ce9a6345f53f8b7e9a7f2eb4c3d
Opcode Fuzzy Hash: def83cf0942b3be29e8a785fa4190a3b3ce910afda4e2365945ea52d22a77afe
Instruction Fuzzy Hash: D9A02220E8830C03002030FA2E83023B30C800000AF0003EAAC0C022023C02A83220EB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0136B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

read from, xrefs: 0136B4AD, 0136B4B2
The instruction at %p referenced memory at %p., xrefs: 0136B432
a NULL pointer, xrefs: 0136B4E0
*** then kb to get the faulting stack, xrefs: 0136B51C
an invalid address, %p, xrefs: 0136B4CF
The critical section is owned by thread %p., xrefs: 0136B3B9
*** enter .cxr %p for the context, xrefs: 0136B50D
The resource is owned exclusively by thread %p, xrefs: 0136B374
Go determine why that thread has not released the critical section., xrefs: 0136B3C5
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0136B323
The instruction at %p tried to %s , xrefs: 0136B4B6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0136B3D6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0136B53F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0136B484
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0136B314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0136B476
write to, xrefs: 0136B4A6
This failed because of error %Ix., xrefs: 0136B446
*** Inpage error in %ws:%s, xrefs: 0136B418
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0136B2DC
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0136B38F
*** Resource timeout (%p) in %ws:%s, xrefs: 0136B352
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0136B305
<unknown>, xrefs: 0136B27E, 0136B2D1, 0136B350, 0136B399, 0136B417, 0136B48E
*** enter .exr %p for the exception record, xrefs: 0136B4F1
The resource is owned shared by %d threads, xrefs: 0136B37E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0136B39B
*** An Access Violation occurred in %ws:%s, xrefs: 0136B48F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0136B47D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0136B2F3

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 4e87ff38e423be97fa5b8e00c2e161f81237dde784f0847150c32fa18e8b8c89
Instruction ID: c16ac011bdec76a70800b1096855273dd3462408b8725bd4793f4003915f2d8b
Opcode Fuzzy Hash: 4e87ff38e423be97fa5b8e00c2e161f81237dde784f0847150c32fa18e8b8c89
Instruction Fuzzy Hash: E8814731B50214FFDB22AA4ACC45D7B7F6EEF56B59F808058F604AB51AD2619402CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 01371C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01371C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012BB150();
				} else {
					E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x13a589c);
				E012BB150("Heap error detected at %p (heap handle %p)\n",  *0x13a58a0);
				_t27 =  *0x13a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01371E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012BB150();
				} else {
					E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E012BB150("Error code: %d - %s\n",  *0x13a5898);
				_t113 =  *0x13a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012BB150();
					} else {
						E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012BB150("Parameter1: %p\n",  *0x13a58a4);
				}
				_t115 =  *0x13a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012BB150();
					} else {
						E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012BB150("Parameter2: %p\n",  *0x13a58a8);
				}
				_t117 =  *0x13a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012BB150();
					} else {
						E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012BB150("Parameter3: %p\n",  *0x13a58ac);
				}
				_t119 =  *0x13a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012BB150();
					} else {
						E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13a58b4);
					E012BB150("Last known valid blocks: before - %p, after - %p\n",  *0x13a58b0);
				} else {
					_t120 =  *0x13a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012BB150();
				} else {
					E012BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E012BB150("Stack trace available at %p\n", 0x13a58c0);
			}

0x01371c10
0x01371c16
0x01371c1e
0x01371c3d
0x01371c3e
0x01371c20
0x01371c35
0x01371c3a
0x01371c44
0x01371c55
0x01371c5a
0x01371c65
0x01371c67
0x00000000
0x01371c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01371c67
0x01371cdc
0x01371ce5
0x01371d04
0x01371d05
0x01371ce7
0x01371cfc
0x01371d01
0x01371d0b
0x01371d17
0x01371d1f
0x01371d25
0x01371d30
0x01371d4f
0x01371d50
0x01371d32
0x01371d47
0x01371d4c
0x01371d61
0x01371d67
0x01371d68
0x01371d6e
0x01371d79
0x01371d98
0x01371d99
0x01371d7b
0x01371d90
0x01371d95
0x01371daa
0x01371db0
0x01371db1
0x01371db7
0x01371dc2
0x01371de1
0x01371de2
0x01371dc4
0x01371dd9
0x01371dde
0x01371df3
0x01371df9
0x01371dfa
0x01371e00
0x01371e0a
0x01371e13
0x01371e32
0x01371e33
0x01371e15
0x01371e2a
0x01371e2f
0x01371e39
0x01371e4a
0x01371e02
0x01371e02
0x01371e08
0x00000000
0x00000000
0x01371e08
0x01371e5b
0x01371e7a
0x01371e7b
0x01371e5d
0x01371e72
0x01371e77
0x01371e95

Strings

Error code: %d - %s, xrefs: 01371D12
heap_failure_unknown, xrefs: 01371C75
heap_failure_generic, xrefs: 01371C7C
heap_failure_invalid_argument, xrefs: 01371CAD
Heap error detected at %p (heap handle %p), xrefs: 01371C50
Parameter3: %p, xrefs: 01371DEE
Stack trace available at %p, xrefs: 01371E86
heap_failure_cross_heap_operation, xrefs: 01371CC2
HEAP[%wZ]: , xrefs: 01371C30, 01371CF7, 01371D42, 01371D8B, 01371DD4, 01371E25, 01371E6D
heap_failure_lfh_bitmap_mismatch, xrefs: 01371CD7
Parameter1: %p, xrefs: 01371D5C
heap_failure_invalid_allocation_type, xrefs: 01371CB4
Parameter2: %p, xrefs: 01371DA5
heap_failure_entry_corruption, xrefs: 01371C83
heap_failure_internal, xrefs: 01371C6E
heap_failure_buffer_overrun, xrefs: 01371C98
heap_failure_block_not_busy, xrefs: 01371CA6
heap_failure_multiple_entries_corruption, xrefs: 01371C8A
Last known valid blocks: before - %p, after - %p, xrefs: 01371E45
heap_failure_freelists_corruption, xrefs: 01371CC9
heap_failure_usage_after_free, xrefs: 01371CBB
HEAP: , xrefs: 01371C16, 01371C3D, 01371D04, 01371D4F, 01371D98, 01371DE1, 01371E32, 01371E7A
heap_failure_listentry_corruption, xrefs: 01371CD0
heap_failure_buffer_underrun, xrefs: 01371C9F
heap_failure_virtual_block_corruption, xrefs: 01371C91

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: a99b7a69469a5b3dc63fe80b20bfd82fc5060ebd7f21e417eb123b30fc327b81
Instruction ID: 69d9468bab412d4ec75fa04b4012d3462835c96aeda2e59ed6354a05c8d51556
Opcode Fuzzy Hash: a99b7a69469a5b3dc63fe80b20bfd82fc5060ebd7f21e417eb123b30fc327b81
Instruction Fuzzy Hash: E861913363114ADFDB31AB89E485E3477ECEB04B64B4A806EF5096B702D6289C418F5A

Uniqueness

Uniqueness Score: -1.00%

Function 012E8E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E012E8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x13ad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x13a8464; // 0x76d90110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x13a5780 & 0x00000003) != 0) {
							E01335510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x13a5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E012FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x13a7984; // 0xff2c28
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x13a8464; // 0x76d90110
					 *0x13ab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E012E9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x13a5780 & 0x00000005) != 0) {
						_push(_t49);
						E01335510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x012e8e0f
0x012e8e16
0x012e8e19
0x012e8e1b
0x012e8e21
0x012e8e7f
0x012e8e85
0x01329354
0x0132936c
0x01329371
0x0132937b
0x01329381
0x01329381
0x0132937b
0x012e8e9d
0x012e8e9d
0x012e8e29
0x012e8e2c
0x012e8e38
0x012e8e3e
0x012e8e43
0x012e8eb5
0x012e8eb9
0x013292aa
0x013292af
0x013292e8
0x013292e8
0x013292af
0x012e8eb9
0x012e8e45
0x012e8e53
0x012e8e5b
0x012e8e5f
0x012e8e78
0x012e8e78
0x012e8e7d
0x012e8ec3
0x012e8ecd
0x012e8ed2
0x012e8ed2
0x012e8ec5
0x012e8ec5
0x00000000
0x012e8e7d
0x012e8e67
0x012e8ea4
0x0132931a
0x00000000
0x00000000
0x01329320
0x012e8ea4
0x012e8e70
0x01329325
0x01329340
0x01329345
0x01329345
0x012e8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012E8E53

Strings

LdrpFindDllActivationContext, xrefs: 01329331, 0132935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0132932A
minkernel\ntdll\ldrsnap.c, xrefs: 0132933B, 01329367
Querying the active activation context failed with status 0x%08lx, xrefs: 01329357

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 71975b99ef64d061858b28c823ad84dce279c32adfa0e1a60a794d9e79df8685
Instruction ID: 7f13be1250423551ed280ed2c66d9c065bd1bac932382f127ef3a10f6b89383b
Opcode Fuzzy Hash: 71975b99ef64d061858b28c823ad84dce279c32adfa0e1a60a794d9e79df8685
Instruction Fuzzy Hash: 46410932A203169EEF36AA5C884DB75B7E4BB04358FCE4169FB8457152E7706D808381

Uniqueness

Uniqueness Score: -1.00%

Function 012C3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E012C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E012C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E012C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E012C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E012C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L012D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E012FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01301370(_t276, 0x1294e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E012FBB40(0,  &_v68, _t170);
									if(L012C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E012FBB40(_t257,  &_v68, _t243);
								if(L012C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01301370(_t278, 0x1294e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L012D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E012FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01301370(_v16, 0x1294e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E012FBB40(_t262,  &_v68, _t244);
								if(L012C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01301370(_t282, 0x1294e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E012FBB40(_t262,  &_v68, _t201);
							if(L012C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L012D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E012FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01301370(_t280, 0x1294e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E012FBB40(_t267,  &_v68, _t245);
							if(L012C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01301370(_t284, 0x1294e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E012FBB40(_t267,  &_v68, _t224);
						if(L012C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x012c3d3c
0x012c3d42
0x012c3d44
0x012c3d46
0x012c3d49
0x012c3d4c
0x012c3d4f
0x012c3d52
0x012c3d55
0x012c3d58
0x012c3d5b
0x012c3d5f
0x012c3d61
0x012c3d66
0x01318213
0x01318218
0x012c4085
0x012c4088
0x012c408e
0x012c4094
0x012c409a
0x012c40a0
0x012c40a6
0x012c40a9
0x012c40af
0x012c40b6
0x012c40bd
0x012c40bd
0x012c3d83
0x0131821f
0x01318229
0x01318238
0x01318238
0x0131823d
0x0131823d
0x012c3da0
0x012c3daf
0x012c3db5
0x012c3dba
0x012c3dba
0x012c3dd4
0x012c3e94
0x012c3eab
0x012c3f6d
0x012c3f84
0x012c406b
0x012c406b
0x012c406e
0x012c406e
0x012c4070
0x012c4074
0x01318351
0x01318351
0x012c407a
0x012c407f
0x0131835d
0x01318370
0x01318377
0x01318379
0x0131837c
0x0131837c
0x0131835d
0x00000000
0x012c407f
0x012c3f8a
0x012c3f8d
0x012c3f90
0x012c3f95
0x0131830d
0x0131830f
0x012c3f9b
0x012c3fac
0x012c3fae
0x012c3fb1
0x012c3fb1
0x012c3fb6
0x01318317
0x0131831a
0x00000000
0x012c3fbc
0x012c3fc1
0x012c3fc9
0x012c3fd7
0x012c3fda
0x012c3fdd
0x012c4021
0x012c4021
0x012c4029
0x012c4030
0x012c4044
0x012c4046
0x012c4046
0x012c4044
0x012c4049
0x01318327
0x01318334
0x01318339
0x0131833c
0x012c404f
0x012c404f
0x012c404f
0x012c4051
0x012c4056
0x012c4063
0x012c4063
0x012c4068
0x00000000
0x012c4068
0x012c3fdf
0x012c3fe2
0x012c3fe4
0x012c3fe7
0x012c3fef
0x012c4003
0x012c4005
0x012c4005
0x012c400c
0x012c4013
0x012c4016
0x012c4017
0x012c401b
0x012c401e
0x00000000
0x012c401e
0x012c3fb6
0x012c3eb1
0x012c3eb4
0x012c3eb7
0x012c3ebc
0x013182a9
0x013182ab
0x012c3ec2
0x012c3ed3
0x012c3ed5
0x012c3ed8
0x012c3ed8
0x012c3edd
0x013182b3
0x013182b6
0x00000000
0x012c3ee3
0x012c3ee8
0x012c3eed
0x012c3ef0
0x012c3ef3
0x012c3f02
0x012c3f05
0x012c3f08
0x013182c0
0x013182c3
0x013182c5
0x013182c8
0x013182d0
0x013182e4
0x013182e6
0x013182e6
0x013182ed
0x013182f4
0x013182f7
0x013182f8
0x013182fc
0x013182ff
0x013182ff
0x012c3f0e
0x012c3f11
0x012c3f16
0x012c3f1d
0x012c3f31
0x01318307
0x01318307
0x012c3f31
0x012c3f39
0x012c3f48
0x012c3f4d
0x012c3f50
0x012c3f50
0x012c3f53
0x012c3f58
0x012c3f65
0x012c3f65
0x012c3f6a
0x00000000
0x012c3f6a
0x012c3edd
0x012c3dda
0x012c3ddd
0x012c3de0
0x012c3de5
0x01318245
0x012c3deb
0x012c3df7
0x012c3dfc
0x012c3dfe
0x012c3e01
0x012c3e01
0x012c3e06
0x0131824d
0x0131824f
0x01318254
0x00000000
0x012c3e0c
0x012c3e11
0x012c3e16
0x012c3e19
0x012c3e29
0x012c3e2c
0x012c3e2f
0x0131825c
0x0131825f
0x01318261
0x01318264
0x0131826c
0x01318280
0x01318282
0x01318282
0x01318289
0x01318290
0x01318293
0x01318294
0x01318298
0x0131829b
0x0131829b
0x012c3e35
0x012c3e38
0x012c3e3d
0x012c3e44
0x012c3e58
0x013182a3
0x013182a3
0x012c3e58
0x012c3e60
0x012c3e6f
0x012c3e74
0x012c3e77
0x012c3e77
0x012c3e7a
0x012c3e7f
0x012c3e8c
0x012c3e8c
0x012c3e91
0x00000000
0x012c3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 012C3DC0
Kernel-MUI-Number-Allowed, xrefs: 012C3D8C
Kernel-MUI-Language-SKU, xrefs: 012C3F70
WindowsExcludedProcs, xrefs: 012C3D6F
Kernel-MUI-Language-Disallowed, xrefs: 012C3E97

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9535c7986a4149a1f328fd17ba4780e2a4957dc94b70d7d040bab8b1047331a9
Instruction ID: 45958d723a0b627149f395bc0ef6830d677b6bd5e321b16dacf58a729033f552
Opcode Fuzzy Hash: 9535c7986a4149a1f328fd17ba4780e2a4957dc94b70d7d040bab8b1047331a9
Instruction Fuzzy Hash: ECF18272D20259EFCB15DF98C9809EFBBB9FF08A50F14456AEA05E7250E7749E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E012C934A() != 0) {
								_t159 = E0133A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x13a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01335510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x13a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E012C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E012C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E012C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x13a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x13a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E012D2280(_t92, 0x13a86cc);
															_t94 = E01389DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x13a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E012C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x13a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x13a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E012FF380(_t136, 0x1291184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E012D2280(_t108, 0x13a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01389D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E012CFFB0(_t118, _t156, 0x13a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E012F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x012c8799
0x012c879d
0x012c87a1
0x012c87a3
0x012c87a8
0x012c87c3
0x012c87c3
0x012c87c8
0x012c87d1
0x012c87d4
0x012c87d8
0x012c87e5
0x012c87ec
0x01319bfe
0x01319c00
0x01319c02
0x01319c08
0x01319c0d
0x01319c0f
0x01319c14
0x01319c2d
0x01319c32
0x01319c37
0x01319c3a
0x01319c3c
0x01319c42
0x01319c42
0x01319c3c
0x01319c02
0x012c87da
0x012c87df
0x012c87e3
0x00000000
0x00000000
0x012c87e3
0x012c87f2
0x00000000
0x012c87fb
0x012c87fd
0x012c87fe
0x012c880e
0x012c880f
0x012c8810
0x012c8814
0x012c881a
0x012c881c
0x012c881f
0x012c8821
0x012c8822
0x012c8824
0x012c8826
0x012c882c
0x012c882e
0x01319c48
0x01319c48
0x012c8834
0x012c8834
0x012c8837
0x00000000
0x00000000
0x012c8837
0x012c882e
0x012c883d
0x012c8840
0x012c8843
0x012c8846
0x012c8849
0x012c884c
0x012c884e
0x012c8850
0x012c8852
0x012c8854
0x012c8857
0x012c88b4
0x012c88b6
0x012c88b6
0x012c8859
0x012c8859
0x012c8859
0x012c8861
0x012c8866
0x012c886a
0x012c893d
0x012c8941
0x00000000
0x012c8947
0x012c8947
0x012c894a
0x012c894c
0x00000000
0x012c8952
0x012c8955
0x012c895a
0x012c895d
0x012c895d
0x012c895f
0x012c8961
0x012c8961
0x012c8968
0x00000000
0x00000000
0x012c896a
0x012c896b
0x012c896e
0x00000000
0x012c8970
0x012c8970
0x012c8970
0x012c8970
0x012c8972
0x012c8972
0x012c8974
0x00000000
0x012c897a
0x012c897a
0x012c897d
0x00000000
0x012c8983
0x01319c65
0x01319c6d
0x01319c72
0x01319c75
0x01319c75
0x01319c82
0x01319c86
0x01319c87
0x01319c88
0x01319c89
0x01319c8c
0x01319c90
0x01319c95
0x01319c97
0x01319ca0
0x01319ca3
0x01319ca9
0x01319ca9
0x00000000
0x01319ca9
0x01319ca3
0x00000000
0x01319c97
0x012c897d
0x00000000
0x012c8974
0x012c8988
0x012c8992
0x012c8996
0x00000000
0x012c8996
0x012c894c
0x00000000
0x012c8870
0x012c887b
0x012c887d
0x012c887f
0x012c8881
0x012c8884
0x012c8884
0x012c8886
0x012c8889
0x012c888c
0x012c888e
0x012c8891
0x012c8891
0x012c8898
0x00000000
0x00000000
0x012c889a
0x012c889b
0x012c889e
0x00000000
0x00000000
0x012c88a0
0x012c88a8
0x012c88b0
0x012c88b2
0x012c88d3
0x012c88d5
0x00000000
0x012c88d7
0x012c88db
0x012c88dc
0x012c88e0
0x012c88e8
0x012c88ee
0x012c88f0
0x012c88f3
0x012c88fc
0x012c8901
0x012c8906
0x012c890c
0x012c890c
0x012c890f
0x012c8916
0x012c8917
0x012c8918
0x012c8919
0x012c891a
0x012c891f
0x012c8921
0x01319c52
0x01319c55
0x01319c5b
0x01319cac
0x01319cc0
0x01319cc0
0x01319c55
0x012c8927
0x012c8927
0x012c892f
0x012c8933
0x00000000
0x012c88f5
0x012c88f5
0x00000000
0x012c88f7
0x012c88f7
0x012c88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x012c88fa
0x012c88f5
0x012c88f3
0x00000000
0x012c88d5
0x00000000
0x012c88b2
0x012c88c9
0x00000000
0x012c88c9
0x012c887f
0x012c886a
0x012c8857
0x012c8852
0x012c88bf
0x012c88bf
0x012c87aa
0x012c87ad
0x012c87ae
0x012c87b4
0x012c87b5
0x012c87b6
0x012c87b8
0x012c87bd
0x012c87c1
0x012c87f4
0x012c87fa
0x00000000
0x00000000
0x00000000
0x012c87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 01319C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01319C18
minkernel\ntdll\ldrsnap.c, xrefs: 01319C28

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3bdaaa141ba53c34187a312cb1e4e0bcfccdb0027c2898bf820052a56fe0e127
Instruction ID: 41939432cf94fa3eeeacf588a3c15f38709a1ed3c62aa527d851be85408ead44
Opcode Fuzzy Hash: 3bdaaa141ba53c34187a312cb1e4e0bcfccdb0027c2898bf820052a56fe0e127
Instruction Fuzzy Hash: FD91F371A2020BDBEF18DF59D881ABAB7B5FF44B14B44826DDB05AB644E730E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E012CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E012BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x13a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01335510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x13a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E012D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01337016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E012D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01337016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E012EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E012BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x012c7e4c
0x012c7e50
0x012c7e55
0x012c7e58
0x012c7e5d
0x012c7e71
0x012c7f33
0x012c7e77
0x012c7e77
0x012c7e79
0x012c7e79
0x012c7e7e
0x012c7f45
0x01319848
0x00000000
0x01319848
0x012c7f4e
0x012c7f53
0x012c7f5a
0x00000000
0x00000000
0x0131985a
0x01319862
0x01319866
0x00000000
0x0131986c
0x00000000
0x0131986c
0x012c7e84
0x012c7e84
0x012c7e8d
0x01319871
0x012c7eb8
0x012c7ec0
0x012c7ec0
0x012c7e9a
0x0131987e
0x00000000
0x00000000
0x01319884
0x0131988b
0x013198a7
0x013198ac
0x013198b1
0x013198b6
0x013198b8
0x013198b8
0x013198b9
0x00000000
0x013198b9
0x012c7ea0
0x012c7ea7
0x00000000
0x00000000
0x012c7eac
0x012c7eb1
0x012c7ec6
0x012c7ed0
0x013198cc
0x012c7ed6
0x012c7ed6
0x012c7ed6
0x012c7ede
0x012c7ee3
0x013198e3
0x013198f0
0x01319902
0x013198f2
0x013198fb
0x013198fb
0x01319907
0x0131991d
0x0131991d
0x01319907
0x013198e3
0x012c7ef0
0x012c7f14
0x012c7f14
0x012c7f1e
0x01319946
0x012c7f24
0x012c7f24
0x012c7f24
0x012c7f2c
0x0131996a
0x01319975
0x01319975
0x0131997e
0x01319993
0x01319993
0x0131997e
0x00000000
0x012c7ef2
0x012c7efc
0x012c7f0a
0x012c7f0e
0x01319933
0x00000000
0x01319933
0x00000000
0x012c7f0e
0x00000000
0x00000000
0x00000000
0x012c7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01319891
minkernel\ntdll\ldrmap.c, xrefs: 013198A2
LdrpCompleteMapModule, xrefs: 01319898

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 81a965aa3145ff4ed22e4f342383df56363d244b0d03e698a3ece9a4917d72e1
Instruction ID: dbe7d49ba79230cce9430861d6d6c93f008c15826f271ba3cc7f7c1fbcceb4c2
Opcode Fuzzy Hash: 81a965aa3145ff4ed22e4f342383df56363d244b0d03e698a3ece9a4917d72e1
Instruction Fuzzy Hash: 60510232620746DBEB26CB6DC994B2A7BE4AF01B18F040699EB519B7D1D774ED00CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012BE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E012BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012F95D0();
						}
						if(_t78 != 0) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E012FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E012FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E012F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E012FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L012BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E012FBB40(_t83, _t102 + 0x24, _t78);
								if(L012C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E012FBB40(_t84, _t102 + 0x24, _t94);
									if(L012C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x012be620
0x012be628
0x012be62f
0x012be631
0x012be635
0x012be637
0x012be63e
0x01315503
0x01315503
0x012be64c
0x012be64c
0x012be651
0x00000000
0x00000000
0x012be661
0x012be665
0x0131542a
0x012be715
0x012be71a
0x012be71c
0x012be720
0x012be720
0x012be727
0x012be736
0x012be736
0x012be743
0x012be743
0x012be673
0x012be678
0x012be67d
0x012be682
0x012be685
0x012be692
0x012be69b
0x012be6a3
0x012be6ad
0x012be6b1
0x012be6b2
0x012be6bb
0x012be6bf
0x012be6c0
0x012be6c8
0x012be6cc
0x012be6d5
0x012be6d9
0x00000000
0x00000000
0x012be6e5
0x012be6ea
0x012be6f9
0x012be70b
0x012be70f
0x01315439
0x0131545e
0x0131545e
0x00000000
0x0131545e
0x0131543b
0x0131543e
0x01315440
0x01315445
0x01315472
0x01315475
0x0131548d
0x01315493
0x013154a9
0x00000000
0x00000000
0x013154ab
0x013154b4
0x013154bc
0x013154c8
0x013154de
0x013154fb
0x013154e0
0x013154e6
0x013154eb
0x013154eb
0x013154de
0x00000000
0x013154bc
0x01315477
0x0131547a
0x01315480
0x01315483
0x01315486
0x0131548b
0x00000000
0x00000000
0x00000000
0x0131548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01315447
0x01315447
0x01315447
0x01315447
0x0131544e
0x00000000
0x00000000
0x01315450
0x01315452
0x01315455
0x0131545a
0x00000000
0x00000000
0x00000000
0x0131545c
0x0131546a
0x0131546d
0x0131546f
0x00000000
0x0131546f
0x012be70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 012BE68C
InstallLanguageFallback, xrefs: 012BE6DB
@, xrefs: 012BE6C0

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8d735b10e7de41b9b1dbc974cdc9985346aa7455ba1806d6fd4d29be1e126bc7
Instruction ID: 1668c39ebf7b90d07328cedc2a3aa525c3f184308096ded9e69a2f7406b439cf
Opcode Fuzzy Hash: 8d735b10e7de41b9b1dbc974cdc9985346aa7455ba1806d6fd4d29be1e126bc7
Instruction Fuzzy Hash: A85108725143469BD718DF68C480ABBB3E8BF89758F05092EFA85E7200FB34D944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0134FF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0134FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0134FF60

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 8aa28132bf16b69c50fe51357a55aa876b4b35a720036d0e0df3926eb9ecc821
Instruction ID: fce5e11e39c978ac9aad0a3a4aadf9659f27321d38de635e06092b2d13215d6b
Opcode Fuzzy Hash: 8aa28132bf16b69c50fe51357a55aa876b4b35a720036d0e0df3926eb9ecc821
Instruction Fuzzy Hash: CC11D275950544EFDF26DF98C948F98BBF5FF08708F588054F1086B6A1C739A948CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013351BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E013351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13905f0);
				E0130D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E012CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E013353CA(0);
						return E0130D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E012FF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E012D3690(1, _t117, 0x1291810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E012FAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L012D4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E012FAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0133500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E012F9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x013351be
0x013351c3
0x013351c8
0x013351cd
0x013351d0
0x013351d3
0x013351d8
0x013351db
0x013351de
0x013351e0
0x013351e3
0x013351e6
0x013351e8
0x01335342
0x01335351
0x01335356
0x0133535a
0x01335360
0x01335363
0x01335366
0x01335369
0x01335369
0x0133536b
0x0133536b
0x01335370
0x013353a3
0x013353a4
0x013353a6
0x013353ab
0x013353ab
0x013353ae
0x013353ae
0x013353b5
0x013353bf
0x013353bf
0x01335375
0x01335396
0x013353a0
0x013353a0
0x00000000
0x01335396
0x01335377
0x01335379
0x0133537f
0x0133538c
0x01335390
0x00000000
0x01335390
0x013351ee
0x013351f1
0x01335301
0x01335310
0x01335315
0x01335318
0x0133531b
0x01335320
0x0133532e
0x01335331
0x00000000
0x01335331
0x01335328
0x01335329
0x00000000
0x01335329
0x013351fa
0x01335235
0x01335236
0x01335239
0x0133523f
0x01335240
0x01335241
0x01335242
0x01335246
0x01335247
0x0133524e
0x01335251
0x01335267
0x01335269
0x0133526e
0x0133527d
0x0133527e
0x01335281
0x01335282
0x01335287
0x01335288
0x0133528a
0x0133528f
0x01335294
0x00000000
0x00000000
0x0133529a
0x0133529c
0x0133529e
0x0133529e
0x013352a4
0x013352b0
0x00000000
0x00000000
0x013352ba
0x013352bc
0x013352bc
0x013352d4
0x013352d9
0x013352dc
0x013352e1
0x00000000
0x00000000
0x013352e7
0x013352f4
0x00000000
0x013352f4
0x01335270
0x00000000
0x01335270
0x013351fc
0x013351fd
0x01335202
0x01335203
0x01335205
0x0133520a
0x0133520f
0x00000000
0x00000000
0x0133521b
0x01335226
0x0133522b
0x0133521d
0x0133521d
0x01335222
0x01335222
0x0133522d
0x00000000

Strings

UEFI, xrefs: 0133521D
Legacy, xrefs: 01335226

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 293a9fbe8a70fe48d383469f0c622b8c0494caf6713539d1bfc8bbfed19a0a04
Instruction ID: adc91ad71e5d87a493548a39eba2afc8db9987bb1474794706fd0272b83f2120
Opcode Fuzzy Hash: 293a9fbe8a70fe48d383469f0c622b8c0494caf6713539d1bfc8bbfed19a0a04
Instruction Fuzzy Hash: 53517EB1E106099FDB25DFA8C890BADBBF8FF88714F14402DE649EB251D7719900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 012CD5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E012CD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x13ad360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E012C6600(0x13a52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x13a7b9c; // 0x0
							_t281 = L012D4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E012FF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x13a7b90; // 0x77cf0000
								if(_t384 == 0) {
									_t353 =  *0x13a7b8c; // 0xff2b40
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0xff2bf0
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E012D2280(_t200, 0x13a84d8);
									_t277 =  *0x13a85f4; // 0xff3030
									_t351 =  *0x13a85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x76d70000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0xff3078
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0xff2fc8
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0xff3078
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0xff56c8
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E012CFFB0(_t287, _t353, 0x13a84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0130CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E012C6600(0x13a52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E012C7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x13ab239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0133E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x13a8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x13ab218; // 0x0
														asm("ror edi, cl");
														 *0x13ab1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E012D2280(_t250, 0x13a84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L012F3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E012CFFB0(_t293, _t353, 0x13a84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E012F37F5(_t353, 0);
																}
																E012F0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E012E9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E012E02D6(_t174);
																}
																L012D77F0( *0x13a7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E012EC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L012CEC7F(_t353);
										L012E19B8(_t287, 0, _t353, 0);
										_t200 = E012BF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E012FB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x13ab2f8; // 0x0
									if((_t206 |  *0x13ab2fc) == 0 || ( *0x13ab2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x13ab2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01366B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01366AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E012CE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L012CEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E012F9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E012CE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L012C8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E012F3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x012cd5f2
0x012cd5f5
0x012cd5f5
0x012cd5fd
0x012cd600
0x012cd60a
0x012cd60d
0x012cd617
0x012cd61d
0x012cd627
0x012cd62e
0x012cd911
0x012cd913
0x00000000
0x012cd919
0x012cd919
0x012cd919
0x012cd634
0x012cd634
0x012cd634
0x012cd634
0x012cd640
0x012cd8bf
0x00000000
0x012cd646
0x012cd646
0x012cd64d
0x012cd652
0x0131b2fc
0x0131b2fc
0x0131b302
0x0131b33b
0x0131b341
0x00000000
0x0131b304
0x0131b304
0x0131b319
0x0131b31e
0x0131b324
0x0131b326
0x0131b332
0x0131b347
0x0131b34c
0x0131b351
0x0131b35a
0x00000000
0x0131b328
0x0131b328
0x00000000
0x0131b328
0x0131b326
0x012cd658
0x012cd658
0x012cd65b
0x012cd665
0x00000000
0x012cd66b
0x012cd66b
0x012cd66b
0x012cd66b
0x012cd66d
0x012cd672
0x012cd67a
0x00000000
0x00000000
0x012cd680
0x012cd686
0x012cd8ce
0x012cd8d4
0x012cd8da
0x012cd8dd
0x012cd8dd
0x012cd8e0
0x012cd68c
0x012cd691
0x012cd69d
0x012cd6a2
0x012cd6a7
0x012cd6b0
0x012cd6b0
0x012cd6b5
0x012cd6e0
0x012cd6b7
0x012cd6b7
0x012cd6b9
0x012cd6b9
0x012cd6bb
0x012cd6bd
0x012cd6ce
0x012cd6d0
0x012cd6d2
0x0131b363
0x0131b365
0x00000000
0x0131b36b
0x00000000
0x0131b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012cd6bf
0x012cd6bf
0x012cd6e5
0x012cd6e7
0x012cd6e9
0x012cd6e9
0x012cd6ec
0x012cd6ec
0x012cd6ef
0x012cd6f5
0x012cd6f9
0x012cd6fb
0x012cd6fd
0x012cd701
0x012cd703
0x012cd70a
0x012cd70a
0x012cd70a
0x012cd701
0x012cd70d
0x012cd710
0x012cd710
0x012cd6c1
0x012cd6c1
0x012cd6c1
0x012cd6c6
0x0131b36d
0x0131b36f
0x00000000
0x0131b375
0x0131b375
0x0131b375
0x00000000
0x0131b375
0x00000000
0x012cd6cc
0x012cd6d8
0x012cd6d8
0x012cd6d8
0x00000000
0x012cd6c6
0x012cd6bf
0x00000000
0x012cd6da
0x012cd6da
0x012cd716
0x012cd71b
0x012cd720
0x012cd726
0x012cd726
0x012cd72d
0x00000000
0x012cd733
0x012cd739
0x012cd742
0x012cd750
0x012cd758
0x012cd764
0x012cd776
0x012cd77a
0x012cd783
0x012cd928
0x012cd92c
0x012cd93d
0x012cd944
0x012cd94f
0x012cd954
0x012cd956
0x012cd95f
0x012cd961
0x012cd973
0x012cd973
0x012cd956
0x012cd944
0x012cd92c
0x012cd78b
0x0131b394
0x012cd791
0x012cd798
0x0131b3a3
0x0131b3bb
0x0131b3bb
0x012cd7a5
0x012cd866
0x012cd870
0x012cd884
0x012cd892
0x012cd898
0x012cd89e
0x012cd8a0
0x012cd8a6
0x012cd8ac
0x012cd8ae
0x012cd8b4
0x012cd8b4
0x012cd8ae
0x012cd7a5
0x012cd78b
0x012cd7b1
0x0131b3c5
0x0131b3c5
0x012cd7c3
0x012cd7ca
0x012cd7e5
0x012cd7eb
0x012cd8eb
0x012cd8ed
0x00000000
0x012cd8f3
0x012cd8f3
0x012cd8f3
0x00000000
0x012cd8ed
0x012cd7cc
0x012cd7cc
0x012cd7d2
0x00000000
0x012cd7d4
0x012cd7d4
0x012cd7d7
0x012cd7df
0x0131b3d4
0x0131b3d9
0x0131b3dc
0x0131b3dc
0x0131b3df
0x0131b3e2
0x0131b468
0x0131b46d
0x0131b46f
0x0131b46f
0x0131b475
0x012cd8f8
0x012cd8f9
0x012cd8fd
0x0131b3e8
0x0131b3e8
0x0131b3eb
0x0131b3ed
0x00000000
0x0131b3ef
0x0131b3ef
0x0131b3f1
0x0131b3f4
0x0131b3fe
0x0131b404
0x0131b409
0x0131b40e
0x0131b410
0x0131b410
0x0131b414
0x0131b414
0x0131b41b
0x0131b420
0x0131b423
0x0131b425
0x0131b427
0x0131b42a
0x0131b42d
0x0131b42d
0x0131b42a
0x0131b432
0x0131b436
0x0131b438
0x0131b43b
0x0131b43b
0x0131b449
0x0131b44e
0x0131b454
0x0131b458
0x0131b458
0x0131b45d
0x00000000
0x0131b45d
0x0131b3ed
0x00000000
0x00000000
0x00000000
0x012cd7df
0x012cd7d2
0x012cd7ca
0x0131b37c
0x0131b37e
0x0131b385
0x0131b38a
0x00000000
0x0131b38a
0x012cd742
0x012cd7f1
0x012cd7f8
0x0131b49b
0x0131b49b
0x012cd800
0x012cd837
0x012cd843
0x012cd845
0x012cd847
0x012cd84a
0x012cd84b
0x012cd84e
0x012cd857
0x012cd802
0x012cd802
0x012cd80d
0x00000000
0x012cd818
0x012cd818
0x012cd824
0x012cd831
0x0131b4a5
0x0131b4ab
0x0131b4b3
0x0131b4b8
0x0131b4bb
0x00000000
0x0131b4c1
0x0131b4c1
0x0131b4c8
0x00000000
0x0131b4ce
0x0131b4d4
0x0131b4e1
0x0131b4e3
0x0131b4e5
0x00000000
0x0131b4eb
0x0131b4f0
0x0131b4f2
0x012cdac9
0x012cdacc
0x012cdacf
0x012cdad1
0x012cdd78
0x012cdd78
0x012cdcf2
0x00000000
0x012cdad7
0x012cdad9
0x012cdadb
0x00000000
0x00000000
0x012cdae1
0x012cdae1
0x012cdae4
0x012cdae6
0x0131b4f9
0x0131b4f9
0x0131b500
0x012cdaec
0x012cdaec
0x012cdaf5
0x012cdaf8
0x012cdafb
0x012cdb03
0x012cdb11
0x012cdb16
0x012cdb19
0x012cdb1b
0x0131b52c
0x0131b531
0x0131b534
0x012cdb21
0x012cdb21
0x012cdb24
0x012cdcd9
0x012cdce2
0x012cdce5
0x012cdd6a
0x012cdd6d
0x00000000
0x012cdd73
0x0131b51a
0x0131b51c
0x0131b51f
0x0131b524
0x00000000
0x0131b524
0x012cdce7
0x012cdce7
0x012cdce7
0x00000000
0x012cdce7
0x00000000
0x012cdb2a
0x012cdb2c
0x012cdb31
0x012cdb33
0x012cdb36
0x012cdb39
0x012cdb3b
0x012cdb66
0x012cdb66
0x012cdb3d
0x012cdb3d
0x012cdb3e
0x012cdb46
0x012cdb47
0x012cdb49
0x012cdb4c
0x012cdb53
0x012cdb55
0x012cdb58
0x012cdb5a
0x0131b50a
0x0131b50f
0x0131b512
0x012cdb60
0x012cdb60
0x012cdb63
0x012cdb63
0x00000000
0x012cdb63
0x012cdb5a
0x012cdb3b
0x012cdb24
0x012cdb69
0x012cdb69
0x012cdb6c
0x012cdb6f
0x012cdb74
0x0131b557
0x0131b557
0x0131b55e
0x012cdb7a
0x012cdb7c
0x012cdb7f
0x012cdb82
0x012cdb85
0x00000000
0x012cdb8b
0x012cdb8b
0x012cdb8d
0x012cdb9b
0x012cdb9b
0x012cdb9d
0x012cdba0
0x012cdba2
0x012cdba4
0x012cdba7
0x012cdba9
0x012cdbae
0x012cdbae
0x012cdbb1
0x012cdbb4
0x012cdbb4
0x012cdbb7
0x012cdbba
0x012cdcd2
0x012cdcd4
0x00000000
0x012cdbc0
0x012cdbc0
0x012cdbd2
0x012cdbd7
0x012cdbda
0x012cdbdd
0x012cdbdf
0x00000000
0x012cdbe5
0x012cdbe5
0x012cdbee
0x012cdbf1
0x0131b541
0x0131b544
0x00000000
0x0131b546
0x0131b546
0x00000000
0x0131b546
0x012cdbf7
0x012cdbf7
0x012cdbfd
0x012cdbfd
0x012cdbff
0x012cdc0b
0x012cdc15
0x012cdc1b
0x012cdc1d
0x012cdc21
0x012cdc21
0x012cdc23
0x012cdc23
0x012cdc26
0x012cdc29
0x012cdc2b
0x00000000
0x00000000
0x012cdc31
0x012cdc34
0x012cdc36
0x012cdcbf
0x012cdcbf
0x012cdcc2
0x00000000
0x012cdc3c
0x012cdc41
0x012cdc43
0x00000000
0x012cdc45
0x012cdc45
0x012cdc47
0x00000000
0x012cdc4d
0x012cdc4d
0x012cdc50
0x012cdc52
0x012cdc55
0x012cdcfa
0x012cdcfe
0x012cdd08
0x012cdd0a
0x012cdd0c
0x00000000
0x012cdd12
0x012cdd15
0x012cdd2d
0x012cdd2f
0x012cdd32
0x012cdd35
0x00000000
0x012cdd35
0x012cdc5b
0x012cdc5b
0x012cdc5e
0x012cdc61
0x012cdc64
0x012cdc67
0x012cdc67
0x012cdc6a
0x012cdc6c
0x012cdc8e
0x012cdc8e
0x012cdc91
0x012cdc93
0x012cdcce
0x012cdcce
0x012cdc95
0x012cdc9c
0x012cdc6e
0x012cdc72
0x012cdc75
0x012cdc77
0x012cdc79
0x0131b551
0x0131b551
0x00000000
0x012cdc7f
0x012cdc7f
0x012cdc81
0x00000000
0x012cdc83
0x012cdc86
0x012cdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x012cdc88
0x012cdc81
0x012cdc79
0x012cdc6c
0x012cdc55
0x012cdc47
0x012cdc43
0x00000000
0x012cdc36
0x012cdc23
0x00000000
0x012cdbff
0x012cdbf1
0x012cdbdf
0x012cdb8f
0x012cdb92
0x012cdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x012cdb95
0x012cdb8d
0x012cdb85
0x012cdb74
0x012cdc9f
0x012cdca2
0x012cdcb0
0x012cdcb0
0x012cdad1
0x0131b4e5
0x0131b4c8
0x00000000
0x00000000
0x00000000
0x012cd831
0x012cd80d
0x00000000
0x012cd800
0x0131b47f
0x0131b485
0x00000000
0x0131b485
0x012cd665
0x012cd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012CD898

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ccdb20d3111327e45ed1547ae6bccbbe6bcfa1104a0da2aa00fa36bbcd0b936b
Instruction ID: 82c81a0f9468da77b2d8251de126e196d36e98bf7f00bc4ae0862f3a6c93a0dd
Opcode Fuzzy Hash: ccdb20d3111327e45ed1547ae6bccbbe6bcfa1104a0da2aa00fa36bbcd0b936b
Instruction Fuzzy Hash: 9CE1F330A1035ACFEB38DF68C880B79B7B5BF45708F0442ADDB09A7295D774A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012E513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E012E513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13ad360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E012FD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E012D2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L012D4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E012FF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E012CFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x13ab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E012FB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x012e5142
0x012e514c
0x012e5150
0x012e5157
0x012e5159
0x012e515e
0x012e5165
0x012e5169
0x012e516c
0x012e5172
0x012e5176
0x012e517a
0x012e517a
0x012e517a
0x012e517f
0x01326d8b
0x01326d8e
0x01326d91
0x01326d95
0x01326d98
0x01326d9c
0x01326da0
0x01326da3
0x01326da7
0x01326e26
0x01326e26
0x01326e2a
0x012e51f9
0x012e51f9
0x012e51fe
0x01326e33
0x01326e33
0x01326e39
0x01326e3d
0x01326e46
0x01326e50
0x00000000
0x00000000
0x01326e52
0x01326e53
0x01326e56
0x01326e5d
0x00000000
0x00000000
0x00000000
0x01326e5f
0x01326e67
0x01326e77
0x01326e7f
0x01326e80
0x01326e88
0x01326e90
0x01326e9f
0x01326ea5
0x01326ea9
0x01326eb1
0x01326ebf
0x00000000
0x00000000
0x01326ecf
0x01326ed3
0x00000000
0x00000000
0x01326edb
0x01326ede
0x01326ee1
0x01326ee8
0x01326eeb
0x01326eed
0x01326ef0
0x01326ef4
0x01326ef8
0x01326efc
0x00000000
0x00000000
0x01326f0d
0x01326f11
0x01326f32
0x01326f37
0x01326f3b
0x01326f3e
0x01326f41
0x01326f46
0x00000000
0x00000000
0x01326f4c
0x01326f50
0x01326f50
0x01326f54
0x01326f62
0x01326f65
0x01326f6d
0x01326f7b
0x01326f7b
0x01326f93
0x01326f98
0x01326fa0
0x01326fa6
0x01326fb3
0x01326fb6
0x01326fbf
0x01326fc1
0x01326fd5
0x01326fda
0x01326fda
0x01326fdd
0x01326fe2
0x01326fe7
0x01326feb
0x01326fef
0x01326ff3
0x012e520c
0x012e520c
0x012e520f
0x012e5215
0x012e5234
0x012e523a
0x012e523a
0x012e5244
0x012e5245
0x012e5246
0x012e5251
0x012e5251
0x01326f13
0x01326f17
0x01326f17
0x01326f18
0x01326f1b
0x01326f1f
0x01326f23
0x00000000
0x01326f28
0x012e5204
0x012e5204
0x012e5208
0x00000000
0x012e5208
0x012e5185
0x012e5188
0x012e518a
0x012e518e
0x012e5195
0x01326db1
0x01326db5
0x01326db9
0x012e519b
0x012e519b
0x012e519e
0x012e51a7
0x012e51a9
0x012e51a9
0x012e51b5
0x012e51b8
0x012e51bb
0x012e51be
0x012e51c1
0x012e51c5
0x012e51c9
0x012e51cd
0x012e51cd
0x012e51d8
0x012e51dc
0x012e51e0
0x01326dcc
0x01326dd0
0x01326dd5
0x01326ddd
0x01326de1
0x01326de1
0x01326de5
0x01326deb
0x01326df1
0x01326df7
0x01326dfd
0x01326e01
0x01326e05
0x01326e09
0x01326e0d
0x01326e11
0x01326e11
0x012e51eb
0x01326e1a
0x01326e1f
0x01326e21
0x01326e23
0x00000000
0x012e51f1
0x012e51f1
0x00000000
0x012e51f1

APIs

RtlDebugPrintTimes.NTDLL ref: 012E5234

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4a91a9f1a85507f28b1972845413ec8142191c6a5c4948b01f6edd99b87fa31d
Instruction ID: e1b142f437b04e66f0a2d189f8774cfd2cfb322d180ee958b299580da4bd70e7
Opcode Fuzzy Hash: 4a91a9f1a85507f28b1972845413ec8142191c6a5c4948b01f6edd99b87fa31d
Instruction Fuzzy Hash: 18C133B55183818FD354CF28C581A6AFBF1BF88308F584A6EF9998B352D771E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012E03E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012E03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x13ad360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E012E0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E012FB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E012CB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x13a7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E012D7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E012D7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01337016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E012F9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E013369A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x13a7c04 != 0) {
						_t118 = _v12;
						_t120 = E0133A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x13a7bd8;
						if( *0x13a7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E012F95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E012F99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01333540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E012BB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E012FAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x13a8474 - 3;
										if( *0x13a8474 != 3) {
											 *0x13a79dc =  *0x13a79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E012D7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E012D7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01337016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x13a8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x13a7b00; // 0x0
							asm("ror esi, cl");
							 *0x13ab1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E012F95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E012C7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x012e03f1
0x012e03f7
0x012e03f9
0x012e03fb
0x012e03fd
0x012e0400
0x012e040a
0x01324c7a
0x012e0537
0x012e0547
0x012e0410
0x012e0410
0x012e0414
0x012e0417
0x012e041a
0x012e0421
0x012e0424
0x012e042b
0x012e043b
0x012e043e
0x012e043f
0x012e043f
0x012e0446
0x012e0449
0x012e044c
0x012e044f
0x012e0459
0x01324c8d
0x012e045f
0x012e045f
0x012e045f
0x012e0467
0x01324c97
0x01324c9d
0x01324ca4
0x01324caa
0x01324caf
0x01324cb1
0x01324cc3
0x01324cb3
0x01324cbc
0x01324cbc
0x01324cc8
0x01324ccb
0x01324cd7
0x01324cda
0x01324cdf
0x01324cdf
0x01324ccb
0x01324ca4
0x012e046d
0x012e046f
0x012e046f
0x012e0471
0x012e0476
0x012e047a
0x012e047b
0x012e0483
0x012e0489
0x012e048d
0x00000000
0x00000000
0x01324ce9
0x01324cef
0x01324d22
0x01324d22
0x00000000
0x01324d22
0x01324cf1
0x01324cf7
0x00000000
0x00000000
0x01324cf9
0x01324cff
0x00000000
0x00000000
0x01324d05
0x01324d07
0x00000000
0x00000000
0x01324d0d
0x01324d0f
0x01324d14
0x01324d16
0x00000000
0x00000000
0x01324d1c
0x01324d1c
0x012e0499
0x012e0535
0x012e0535
0x00000000
0x012e0535
0x012e04a6
0x01324d2c
0x01324d37
0x01324d39
0x01324d3b
0x00000000
0x00000000
0x01324d41
0x01324d48
0x012e0527
0x012e052b
0x012e052d
0x012e0530
0x012e0530
0x00000000
0x012e052b
0x01324d4e
0x012e04ac
0x012e04ac
0x012e04af
0x012e04b2
0x012e04b7
0x012e04b9
0x012e04bb
0x012e04bd
0x012e04bf
0x012e04c5
0x012e04c9
0x01324d53
0x01324d59
0x01324db9
0x01324dba
0x01324dbf
0x01324dc2
0x01324dc4
0x01324dc7
0x01324dce
0x00000000
0x01324dce
0x01324d5b
0x01324d61
0x00000000
0x00000000
0x01324d63
0x01324d69
0x00000000
0x00000000
0x01324d6b
0x01324d6e
0x01324d74
0x01324d76
0x01324d7c
0x01324d7e
0x01324d84
0x01324d89
0x01324d8c
0x01324d8d
0x01324d92
0x01324d95
0x01324d96
0x01324d98
0x01324d9a
0x01324d9f
0x01324da4
0x01324da6
0x01324da8
0x01324daf
0x01324db1
0x01324db1
0x01324daf
0x01324da6
0x01324d84
0x01324d7c
0x00000000
0x01324d74
0x012e04d6
0x01324de1
0x012e04dc
0x012e04dc
0x012e04dc
0x012e04e4
0x01324deb
0x01324df1
0x01324df8
0x01324dfe
0x01324e03
0x01324e05
0x01324e17
0x01324e07
0x01324e10
0x01324e10
0x01324e1c
0x01324e1f
0x01324e35
0x01324e35
0x01324e1f
0x01324df8
0x012e04f1
0x012e04fa
0x01324e3f
0x01324e47
0x01324e5b
0x01324e61
0x01324e67
0x01324e69
0x01324e71
0x01324e73
0x012e0500
0x012e0500
0x012e0500
0x012e04fa
0x012e0508
0x012e051d
0x012e051d
0x012e051f
0x012e0524
0x00000000
0x012e0524
0x012e0515
0x012e0517
0x01324e7a
0x01324e7c
0x00000000
0x00000000
0x01324e85
0x00000000
0x01324e85
0x00000000
0x012e0517

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c274fef587830679b258d245984a80581af79e21bf86e444cf3cfd829b94622
Instruction ID: 834a5c5cbb046fb07378d912362d7db61c15a688565b400eb1911e184725e7ee
Opcode Fuzzy Hash: 8c274fef587830679b258d245984a80581af79e21bf86e444cf3cfd829b94622
Instruction Fuzzy Hash: 22912631F10226AFEB31AB6CD848BBDBBE4EB01718F450265FA11AB2D1D7B49C41C785

Uniqueness

Uniqueness Score: -1.00%

Function 012BB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E012BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x138f7a8);
				E0130D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0130D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E012FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E012FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0130DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E012FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E012FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E012FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E012FA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x012bb171
0x012bb171
0x012bb171
0x012bb171
0x012bb171
0x012bb176
0x012bb17b
0x012bb180
0x012bb186
0x012bb18f
0x012bb198
0x012bb1a4
0x012bb1aa
0x01314802
0x01314802
0x01314805
0x0131480c
0x0131480e
0x012bb1d1
0x012bb1d3
0x012bb1de
0x012bb1de
0x01314817
0x0131481e
0x01314820
0x01314822
0x01314822
0x01314824
0x01314824
0x0131482a
0x00000000
0x00000000
0x01314835
0x0131483a
0x0131483d
0x0131483f
0x01314842
0x01314842
0x01314842
0x01314846
0x0131484c
0x0131484e
0x01314851
0x01314851
0x01314853
0x01314854
0x01314854
0x01314858
0x0131485a
0x0131485a
0x0131485d
0x0131485f
0x01314861
0x01314861
0x01314866
0x0131486b
0x0131486e
0x01314871
0x01314876
0x01314876
0x01314878
0x0131487b
0x01314884
0x01314884
0x00000000
0x0131487d
0x0131487d
0x01314882
0x01314889
0x01314889
0x0131488f
0x01314891
0x013148e0
0x013148e2
0x013148e4
0x013148e4
0x013148e7
0x013148e7
0x013148ed
0x013148f4
0x013148f6
0x01314951
0x01314951
0x01314953
0x01314953
0x01314956
0x01314956
0x01314958
0x01314959
0x01314959
0x0131495d
0x0131495d
0x0131495f
0x0131495f
0x01314965
0x01314969
0x013149ba
0x013149ba
0x013149c1
0x013149c5
0x013149cc
0x013149d4
0x013149d7
0x013149da
0x013149e4
0x013149e5
0x013149f3
0x01314a02
0x00000000
0x01314a02
0x01314972
0x01314974
0x00000000
0x00000000
0x01314976
0x01314979
0x01314982
0x01314983
0x01314984
0x0131498b
0x0131498d
0x01314991
0x01314993
0x01314999
0x0131499d
0x013149a2
0x013149a2
0x013149a2
0x01314999
0x013149ac
0x00000000
0x013149b3
0x013148f8
0x013148fe
0x00000000
0x00000000
0x00000000
0x013148fe
0x01314895
0x0131489c
0x013148ad
0x013148b2
0x013148b5
0x013148b7
0x013148ba
0x013148bc
0x013148c6
0x013148c6
0x013148cb
0x013148d1
0x013148d4
0x013148d8
0x013148d8
0x00000000
0x013148d8
0x013148be
0x013148c0
0x00000000
0x00000000
0x013148c2
0x00000000
0x00000000
0x00000000
0x013148c4
0x00000000
0x01314882
0x0131487b
0x01314904
0x01314906
0x00000000
0x00000000
0x01314908
0x0131490e
0x00000000
0x00000000
0x01314910
0x01314917
0x01314917
0x00000000
0x01314917
0x012bb1ba
0x013147f9
0x013147fc
0x00000000
0x00000000
0x00000000
0x013147fc
0x012bb1c0
0x012bb1c0
0x012bb1c3
0x012bb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 013148AD

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: dd21813ff17e99ce003ca1c60f4bb514b6504b82d23f12da520679b22fe99854
Instruction ID: 7ccde790c87d5fbf49322c9fa22c7357c3de8d0d5fbf56f0a87b0f8d3e9c554f
Opcode Fuzzy Hash: dd21813ff17e99ce003ca1c60f4bb514b6504b82d23f12da520679b22fe99854
Instruction Fuzzy Hash: FD51E071D1025A8EEB39CF68C844BBEBFB1BF04718F2041ADD959AB286D7714941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012DB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012DB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E012D7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01388CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E012F9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E012FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E012FCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E012D7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01388F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E012FAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x13a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x13a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x13a8628; // 0x0
							_t116 =  *0x13a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x012db94c
0x012db956
0x012db95c
0x012db95e
0x012db964
0x012db969
0x012db96d
0x012db96d
0x012db970
0x012db974
0x012db97a
0x012dbadf
0x012dbadf
0x012dbae2
0x012dbae4
0x012dbae6
0x012dbaf0
0x01322cb8
0x012dbaf6
0x012dbaf6
0x012dbaf6
0x012dbafd
0x012dbb1f
0x012dbb1f
0x012dbaff
0x012dbb00
0x012dbb00
0x012dbb03
0x012dbb03
0x012dbacb
0x012dbacf
0x012dbad0
0x012dbad1
0x012dbadc
0x012dbadc
0x012db980
0x012db980
0x012db988
0x012db98b
0x012db98d
0x012db990
0x012db993
0x012db999
0x012db99b
0x012db9a1
0x012db9a5
0x012db9aa
0x012db9b0
0x012db9bb
0x012db9c0
0x012db9c3
0x012db9ca
0x012db9cc
0x012db9cf
0x012db9d3
0x012db9d7
0x012dba94
0x012dba94
0x012dba98
0x012dbaa3
0x01322ccb
0x012dbaa9
0x012dbaa9
0x012dbaa9
0x012dbab1
0x01322cd5
0x01322cdd
0x01322cdd
0x012dbabb
0x012dbabc
0x012dbac2
0x012dbac3
0x012dbac3
0x012dbac6
0x00000000
0x012db9dd
0x012db9dd
0x012db9e7
0x012db9e7
0x012db9ec
0x012db9ec
0x012db9f1
0x012db9f5
0x012db9fa
0x012dba00
0x012dba0c
0x012dba10
0x012dba10
0x012dba12
0x012dba18
0x00000000
0x00000000
0x012dbb26
0x012dbb26
0x012dba1e
0x012dba1e
0x012dba23
0x012dba25
0x012dba2c
0x012dba30
0x012dba35
0x012dba35
0x012dba41
0x012dba46
0x012dba4c
0x012dba50
0x012dba54
0x012dba6a
0x012dba6e
0x012dba70
0x012dba74
0x012dba78
0x012dba7a
0x012dba7c
0x012dba8e
0x012dba90
0x012dba92
0x012dbb14
0x012dbb14
0x012dbb16
0x012dbb16
0x00000000
0x012dba7c
0x012dbb0a
0x012dbb0d
0x00000000
0x00000000
0x00000000
0x012dbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012DB9A5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 09f4d1beff110f1e513d0c30f3ca3d02fb8ebdfe5f47b594faf50a2cb44d30b0
Instruction ID: eec03dacb24bdece5b3a7f06204c508e86f67acfe2e4bc09e840dc295780c80c
Opcode Fuzzy Hash: 09f4d1beff110f1e513d0c30f3ca3d02fb8ebdfe5f47b594faf50a2cb44d30b0
Instruction Fuzzy Hash: B5517971A28342CFC720DF28C09092BBBE5FB89614F55496EFA8587355E770E840CB82

Uniqueness

Uniqueness Score: -1.00%

Function 012F4A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E012F4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x13ad360 ^ _t62;
				_v8 =  *0x13ad360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E012D2280(_t26, 0x13a8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E012CFFB0(_t41, _t51, 0x13a8608);
						L2:
						 *0x13ab1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E012FB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E012D2280(_t28, 0x13a8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E012CFFB0(_t42, _t53, 0x13a8608);
							if(_t53 != 0) {
								L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E012CFFB0(_t41, _t51, 0x13a8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x012f4a2c
0x012f4a34
0x012f4a3c
0x012f4a3e
0x012f4a48
0x012f4a4b
0x012f4a4d
0x012f4a51
0x012f4a9c
0x00000000
0x00000000
0x012f4aa3
0x012f4aa8
0x012f4aad
0x012f4ab1
0x012f4ade
0x012f4ae3
0x012f4a5a
0x012f4a62
0x012f4a6a
0x012f4a6e
0x0132f203
0x012f4a84
0x012f4a88
0x012f4a89
0x012f4a8a
0x012f4a95
0x012f4a95
0x012f4a79
0x012f4a80
0x012f4af2
0x012f4af4
0x012f4af9
0x012f4aff
0x012f4b01
0x012f4b03
0x012f4b08
0x0132f20a
0x0132f212
0x0132f216
0x0132f216
0x012f4b08
0x012f4b13
0x012f4b1a
0x0132f229
0x0132f229
0x012f4b1a
0x012f4a82
0x00000000
0x012f4a82
0x012f4ab7
0x012f4acd
0x012f4acd
0x012f4ad5
0x012f4ada
0x00000000
0x012f4ada
0x012f4ac2
0x012f4acb
0x00000000
0x00000000
0x00000000
0x012f4acb
0x012f4a53
0x012f4a53
0x012f4a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012F4A62

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bf6806203ea5d1b6d348e19ae93a4462238d4e5815b59d16419ec1d1a5be6338
Instruction ID: 4ab8f0c5bc10bd416b1744e3a75fdb61cd2eaecd1477ea56f4a5d4c917f525a0
Opcode Fuzzy Hash: bf6806203ea5d1b6d348e19ae93a4462238d4e5815b59d16419ec1d1a5be6338
Instruction Fuzzy Hash: 5C310232225392DBD721AF18C945B2BFBA5FF81B14F44456DEB5607651CBB0E808CB85

Uniqueness

Uniqueness Score: -1.00%

Function 012D0050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E012D0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x13ad360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E012E9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E012FB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01388A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E012E9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x13ab1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x012d0055
0x012d005d
0x012d0062
0x012d006c
0x012d006f
0x012d0074
0x012d007a
0x012d007a
0x012d0080
0x012d0080
0x012d0087
0x012d008d
0x012d008f
0x012d0093
0x012d0095
0x012d009b
0x012d00f8
0x012d00fb
0x012d00fc
0x012d00ff
0x012d0108
0x012d0108
0x012d00a2
0x012d00a6
0x012d00b3
0x012d00bc
0x012d00c5
0x012d00ca
0x0131c01e
0x00000000
0x00000000
0x0131c02d
0x012d00d5
0x012d00d9
0x0131c03d
0x0131c046
0x0131c046
0x012d00df
0x012d00e2
0x012d00ea
0x012d00ef
0x012d00f2
0x012d00f6
0x012d0111
0x012d0117
0x012d0117
0x00000000
0x012d00f6
0x012d00d0
0x012d00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012D0111

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b235b94214b94b8d6ce59f414725720a7129b9638009609d9b098996cef719c9
Instruction ID: 2a63ea88aeda0985dc66aa05bd89b4ccc2676aabf6dbdde4684e6faf3b9715bc
Opcode Fuzzy Hash: b235b94214b94b8d6ce59f414725720a7129b9638009609d9b098996cef719c9
Instruction Fuzzy Hash: 9B31DD31221B05DFD726CF28C840BAAB7E5FF88314F14856DE59687AA0EB75E801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012E2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E012E2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed char _t235;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int _t277;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				signed int* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				void* _t331;
				signed char _t333;
				void* _t334;

				_t328 = _t330;
				_t331 = _t330 - 0x4c;
				_v8 =  *0x13ad360 ^ _t328;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x13ab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t334 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t275 = 0x48;
				_t305 = 0 | _t334 == 0x00000000;
				_t316 = 0;
				_v37 = _t334 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L012D4620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t275;
							_t277 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x13a8478;
								 *_t323 = ((0 | _t305 == 0x013a8478) - 0x00000001 & 0xfffffffb) + 7;
								E012FF3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t331 = _t331 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E013439F2(_t318);
									_t305 = _v32;
									_t318 = _t269;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t323 + _t277 * 4;
								_v56 = _t279;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t230 =  *(_v60 + _t289 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t289 * 4);
										 *(_t279 + 0x18) = _t318;
										_t234 =  *(_v60 + _t289 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M012E2959))) {
												case 0:
													__ax =  *0x13a8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E012FF3E0(__edi,  *0x13a848c, __ax & 0x0000ffff);
														__eax =  *0x13a8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E012FF3E0(_t318, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x13a8480 & 0x0000ffff = E012FF3E0(__edi,  *0x13a8484,  *0x13a8480 & 0x0000ffff);
													__eax =  *0x13a8480 & 0x0000ffff;
													__eax = ( *0x13a8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E012FF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E012FF3E0(_t318, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t331 = _t331 + 0xc;
													_t318 = _t318 + (_t264 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t318 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx =  *0x13a575c;
													__eflags = __ebx - 0x13a575c;
													if(__ebx != 0x13a575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E012FF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x13a575c;
														} while (__ebx != 0x13a575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x13a8478 & 0x0000ffff = E012FF3E0(__edi,  *0x13a847c,  *0x13a8478 & 0x0000ffff);
													__eax =  *0x13a8478 & 0x0000ffff;
													__eax = ( *0x13a8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E013439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x13a6e58 & 0x0000ffff = E012FF3E0(__edi,  *0x13a6e5c,  *0x13a6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x13a6e58 & 0x0000ffff;
													__eax = ( *0x13a6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t316 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M012E2935))) {
							case 0:
								__ax =  *0x13a8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E012E2E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x13a8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13a8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E012CEEF0(0x13a79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E012CEB70(__ecx, 0x13a79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x13a7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E012CEB70(__ecx, 0x13a79a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t328;
										_pop(_t276);
										return E012FB640(_t209, _t276, _v8 ^ _t328, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t273 = E012E2E3E(_t271,  &_v36);
									_t285 = _v36;
									_v76 = _t273;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x13a5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x13a8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13a8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x13a6e58 & 0x0000ffff;
								__eax = ( *0x13a6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *[cs:esi+0x28] =  *[cs:esi+0x28] + _t331;
					_t235 = _t234 + _t331;
					asm("daa");
					 *[cs:esi] =  *[cs:esi] + _t328;
					 *[cs:esi+0x28] =  *[cs:esi+0x28] + _t235;
					 *[cs:0x1f012e26] =  *[cs:0x1f012e26] + _t235;
					_pop(_t280);
					_t237 = _t331;
					_t333 = _t235 ^  *_t290;
					 *_t323 =  *_t323 - _t290;
					 *0x201325b =  *0x201325b + _t323;
					 *_t323 =  *_t323 - _t328;
					 *((intOrPtr*)(_t237 - 0x9fed1d8)) =  *((intOrPtr*)(_t331 - 0x9fed1d8)) + _t331;
					asm("daa");
					 *[cs:esi] =  *[cs:esi] + _t280;
					 *_t323 =  *_t323 - _t290;
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t290;
					 *[cs:ebp+0x27] =  *[cs:ebp+0x27] + _t280;
					_pop(_t281);
					 *[cs:esp+ebx*2] =  *[cs:esp+ebx*2] + _t323;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x138ff00);
					E0130D08C(_t281, _t318, _t323);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t326 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t295 = _t246 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x1291664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E012FE5C0(_a8,  *((intOrPtr*)(_t295 + 0x1291668)), _t282);
									_t333 = _t333 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t326 = E013351BE(_t282,  *((intOrPtr*)(_v48 + 0x129166c)), _a16, _t319, _t326, __eflags, _a20, _a24);
										_v52 = _t326;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t326;
						__eflags = _t326;
						if(_t326 < 0) {
							__eflags = _t326 - 0xc0000100;
							if(_t326 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t326 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t326 = E012E2AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t326;
												__eflags = _t326 - 0xc0000100;
												if(_t326 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t251 = E012C6600( *(_t307 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t326 = E012E2C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t326;
											goto L69;
										}
									}
									goto L108;
								} else {
									E012CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t326 = _a24;
									_t258 = E012E2AE4( &_v36, _a8, _t282, _a16, _a20, _t326);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E012E2C50(_v36, _a8, _t282, _a16, _a20, _t326, 1);
									}
									_v8 = _t319;
									E012E2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t326;
					}
					L70:
					return E0130D0D1(_t244);
				}
				L108:
			}

0x012e2584
0x012e2586
0x012e2590
0x012e2596
0x012e2597
0x012e2598
0x012e2599
0x012e259e
0x012e25a4
0x012e25a9
0x012e25ac
0x012e25ae
0x012e25b1
0x012e25b2
0x012e25b5
0x012e25b8
0x012e25bb
0x012e25bc
0x012e25bf
0x012e25c2
0x012e25c5
0x012e25c6
0x012e25cb
0x012e25ce
0x012e25d8
0x012e25db
0x012e25dd
0x012e25de
0x012e25e1
0x012e25e3
0x012e25e9
0x012e26da
0x012e26da
0x012e26dd
0x012e26e2
0x01325b56
0x00000000
0x012e26e8
0x012e26f9
0x012e26fb
0x012e26fe
0x012e2700
0x01325b60
0x00000000
0x012e2706
0x012e2706
0x012e270a
0x012e270a
0x012e270d
0x012e2713
0x012e2716
0x012e2718
0x012e271c
0x012e271e
0x01325b6c
0x01325b6f
0x01325b7f
0x01325b89
0x01325b8e
0x01325b93
0x01325b96
0x01325b9c
0x01325ba0
0x01325ba3
0x01325bab
0x01325bb0
0x01325bb3
0x01325bb3
0x01325ba3
0x012e2724
0x012e2726
0x012e2729
0x012e272c
0x012e279d
0x012e279d
0x012e27a0
0x012e27a2
0x00000000
0x012e272e
0x012e272e
0x012e2731
0x012e2734
0x012e2734
0x012e2736
0x01325bc1
0x01325bc1
0x01325bc4
0x00000000
0x01325bca
0x01325bca
0x01325bcd
0x00000000
0x01325bd3
0x00000000
0x01325bd3
0x01325bcd
0x012e273c
0x012e273c
0x012e2742
0x012e2747
0x012e274a
0x012e274d
0x012e2750
0x00000000
0x012e2756
0x012e2756
0x00000000
0x012e2902
0x012e2908
0x012e290b
0x00000000
0x012e2911
0x012e291c
0x012e2921
0x00000000
0x012e2921
0x00000000
0x00000000
0x012e2880
0x012e2887
0x012e288c
0x00000000
0x00000000
0x012e2805
0x012e280a
0x012e2814
0x012e2816
0x00000000
0x00000000
0x012e281e
0x012e2821
0x012e2823
0x00000000
0x012e2829
0x012e2829
0x012e2831
0x012e283c
0x012e283e
0x00000000
0x012e283e
0x00000000
0x00000000
0x012e284e
0x012e2850
0x012e2851
0x012e2854
0x012e2857
0x012e285a
0x012e285c
0x012e285d
0x00000000
0x00000000
0x012e275d
0x012e2761
0x00000000
0x012e2767
0x012e276e
0x012e2773
0x012e2773
0x012e2776
0x012e2778
0x012e277e
0x012e277e
0x012e2781
0x012e2781
0x012e2783
0x012e2784
0x00000000
0x00000000
0x01325bd8
0x01325bde
0x01325be4
0x01325be6
0x01325be8
0x01325be9
0x01325bee
0x01325bf8
0x01325bff
0x01325c01
0x01325c04
0x01325c07
0x01325c0b
0x01325c0d
0x01325c0d
0x01325c15
0x01325c18
0x01325c1b
0x01325c1b
0x01325c1e
0x00000000
0x00000000
0x012e28c3
0x012e28c8
0x012e28d2
0x012e28d4
0x012e28d8
0x012e28db
0x01325c26
0x01325c28
0x01325c2d
0x01325c2d
0x00000000
0x00000000
0x01325c34
0x01325c36
0x01325c49
0x01325c4e
0x01325c54
0x01325c5b
0x01325c5d
0x01325c60
0x012e2788
0x012e2788
0x012e278b
0x012e278e
0x012e278e
0x012e278e
0x012e2791
0x00000000
0x00000000
0x012e2756
0x012e2750
0x00000000
0x012e2794
0x012e2794
0x012e2795
0x012e2798
0x012e2798
0x00000000
0x012e2734
0x012e272c
0x012e2700
0x012e25ef
0x012e25ef
0x012e25ef
0x012e25f2
0x012e25f8
0x00000000
0x00000000
0x012e25fe
0x00000000
0x012e28e6
0x012e28ec
0x012e28ef
0x012e28f5
0x012e28f8
0x012e28f8
0x00000000
0x012e28f8
0x00000000
0x00000000
0x012e2866
0x012e2866
0x012e2876
0x012e2879
0x00000000
0x00000000
0x012e27e0
0x012e27e7
0x012e27e9
0x012e27eb
0x01325afd
0x00000000
0x01325afd
0x00000000
0x00000000
0x012e2633
0x012e2638
0x012e263b
0x012e263c
0x012e263e
0x012e2640
0x012e2642
0x012e2647
0x012e2649
0x012e264e
0x012e2650
0x012e2653
0x012e2659
0x012e26a2
0x012e26a7
0x012e26ac
0x012e26b2
0x01325b11
0x01325b15
0x01325b17
0x00000000
0x012e26b8
0x012e26b8
0x012e26ba
0x012e27a6
0x012e27a6
0x012e27a9
0x012e27ab
0x012e27b9
0x012e27b9
0x012e27be
0x012e27c1
0x012e27c3
0x012e27c5
0x012e27c7
0x01325c74
0x01325c79
0x01325c79
0x012e27c7
0x00000000
0x012e26c0
0x012e26c0
0x012e26c3
0x012e26c6
0x012e26c6
0x012e26c9
0x012e26c9
0x00000000
0x012e26c9
0x012e26ba
0x012e265b
0x012e265b
0x012e265e
0x012e2667
0x012e266d
0x012e2677
0x012e267c
0x012e267f
0x012e2681
0x01325b49
0x01325b4e
0x012e27cd
0x012e27d0
0x012e27d1
0x012e27d2
0x012e27d4
0x012e27dd
0x012e2687
0x012e2687
0x012e268a
0x012e268b
0x012e268e
0x012e268f
0x012e2691
0x012e2696
0x012e2698
0x012e269d
0x012e269f
0x00000000
0x012e269f
0x012e2681
0x00000000
0x00000000
0x012e2846
0x00000000
0x00000000
0x012e2605
0x012e260a
0x012e260c
0x012e2611
0x012e2616
0x012e2619
0x012e2619
0x012e261e
0x00000000
0x012e2624
0x012e2627
0x012e2627
0x00000000
0x00000000
0x01325b1f
0x00000000
0x00000000
0x012e2894
0x012e289b
0x012e289d
0x012e28a1
0x01325b2b
0x01325b2e
0x01325b2e
0x012e28a7
0x012e28a9
0x01325b04
0x01325b09
0x01325b09
0x01325b09
0x00000000
0x00000000
0x01325b35
0x01325b3c
0x012e28fb
0x012e28fb
0x012e26cc
0x012e26cc
0x012e26d0
0x00000000
0x012e26d2
0x012e26d2
0x00000000
0x012e26d2
0x00000000
0x00000000
0x012e25fe
0x012e292d
0x012e292f
0x012e2930
0x012e2935
0x012e2937
0x012e293b
0x012e293e
0x012e293f
0x012e2942
0x012e2947
0x012e294e
0x012e2951
0x012e2951
0x012e2952
0x012e2954
0x012e295a
0x012e295c
0x012e2962
0x012e2963
0x012e2966
0x012e2968
0x012e296b
0x012e2972
0x012e2977
0x012e297d
0x012e297e
0x012e297f
0x012e2980
0x012e2981
0x012e2982
0x012e2983
0x012e2984
0x012e2985
0x012e2986
0x012e2987
0x012e2988
0x012e2989
0x012e298a
0x012e298b
0x012e298c
0x012e298d
0x012e298e
0x012e298f
0x012e2990
0x012e2992
0x012e2997
0x012e29a3
0x012e29a6
0x012e29ab
0x012e29ad
0x012e29b0
0x012e29b2
0x01325c80
0x012e29b8
0x012e29b8
0x012e29bb
0x012e29c0
0x012e29c5
0x012e29c6
0x012e29c6
0x012e29c9
0x012e29cb
0x00000000
0x00000000
0x012e29cd
0x012e29d0
0x012e29d9
0x012e29db
0x012e29dd
0x012e2a7f
0x012e2a84
0x012e2a87
0x012e2a89
0x01325ca1
0x01325ca3
0x00000000
0x012e2a8f
0x012e2a8f
0x00000000
0x012e2a8f
0x00000000
0x012e29e3
0x012e29e3
0x012e29e3
0x00000000
0x012e29e3
0x012e29dd
0x00000000
0x012e29db
0x012e29e6
0x012e29e9
0x012e29eb
0x012e29ed
0x012e29f3
0x012e29f5
0x012e29f8
0x012e29fa
0x012e2a97
0x012e2a9a
0x012e2a9d
0x012e2add
0x00000000
0x012e2a9f
0x012e2aa2
0x012e2aa5
0x012e2aa8
0x012e2aab
0x01325cab
0x01325caf
0x01325cc5
0x01325cda
0x01325cdc
0x01325cdf
0x01325ce5
0x00000000
0x01325ceb
0x01325ced
0x01325cee
0x00000000
0x01325cee
0x01325cb1
0x01325cb4
0x01325cb9
0x01325cbb
0x00000000
0x01325cbd
0x01325cbd
0x00000000
0x01325cbd
0x01325cbb
0x012e2ab1
0x012e2ab1
0x012e2ac4
0x012e2ac6
0x012e2ac6
0x00000000
0x012e2ac6
0x012e2aab
0x00000000
0x012e2a00
0x012e2a09
0x012e2a0e
0x012e2a21
0x012e2a24
0x012e2a35
0x012e2a3a
0x012e2a3d
0x012e2a42
0x012e2a59
0x012e2a59
0x012e2a5c
0x012e2a5f
0x012e2a5f
0x012e29fa
0x012e29f3
0x012e2a64
0x012e2a64
0x012e2a6b
0x012e2a6b
0x012e2a6d
0x012e2a72
0x012e2a72
0x00000000

Strings

PATH, xrefs: 012E2642, 012E2691

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: ee7d9a87e885916affb82ac230322ed3ca538a458fc7538a694e265cb1a4a425
Instruction ID: f6c81e6262a933949f3c4250d8b2d334eeba5704e05e0cf477960ce6f1dc7df3
Opcode Fuzzy Hash: ee7d9a87e885916affb82ac230322ed3ca538a458fc7538a694e265cb1a4a425
Instruction Fuzzy Hash: 82C19F71D6021ADFDB29DF98D885ABDBBF9FF48700F884029E502BB250D774A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012BC962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E012BC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x13ad360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E012CEEF0(0x13a70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0133F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E012CEB70(_t29, 0x13a70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E012FB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0133F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x13a70c0; // 0x0
					while(_t38 != 0x13a70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x13ab1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x012bc96a
0x012bc974
0x012bc988
0x012bc98a
0x01327c9d
0x01327c9f
0x01327ca4
0x01327cae
0x01327cf0
0x01327cf5
0x01327cfa
0x012bc992
0x012bc996
0x012bc997
0x012bc998
0x012bc9a3
0x012bc9a3
0x01327cb0
0x01327cb7
0x01327cbb
0x00000000
0x00000000
0x01327cbd
0x01327ce8
0x01327cc5
0x01327cc8
0x01327cca
0x01327cd0
0x01327cd6
0x01327cde
0x01327ce4
0x01327ce4
0x01327cd0
0x00000000
0x01327ce8
0x012bc990
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c6446c62d475caae2f0c089a6d7371b48d8cbc4c0fca3068ff3e26a8fbd568
Instruction ID: e31c7905067fddcbf2ab04f02e71e86f19cd657f8e1c54dcc1fa51fcae9550ad
Opcode Fuzzy Hash: 73c6446c62d475caae2f0c089a6d7371b48d8cbc4c0fca3068ff3e26a8fbd568
Instruction Fuzzy Hash: E711E5317106269FCB10AF3CDC8592BBBE9FBA4618F40063DE94183651DB21EC14C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 012EFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E012CEEF0(0x13a7b60);
					_t134 =  *0x13a7b84; // 0x77e07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x13a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x13a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E012C6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01358938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E012BB150();
													}
													_t116 = E01356D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012C75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x13a8638; // 0x0
																	_t122 = L012C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012C76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012C76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L012EFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012C70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E012EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E012EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E012EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E012EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E012EFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x13a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x13a7b84 = _t75;
						_t73 = E012CEB70(_t134, 0x13a7b60);
						if( *0x13a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E012CFF60( *0x13a7b20);
							}
						}
						goto L5;
					}
				}
			}

0x012efab0
0x012efab2
0x012efab3
0x012efab4
0x012efabc
0x012efac0
0x012efb14
0x012efb17
0x012efac2
0x012efac8
0x012efacd
0x012efad3
0x012efad3
0x012efadd
0x012efb18
0x012efb1b
0x012efb1d
0x012efb1e
0x012efb1f
0x012efb20
0x012efb21
0x012efb22
0x012efb23
0x012efb24
0x012efb25
0x012efb26
0x012efb27
0x012efb28
0x012efb29
0x012efb2a
0x012efb2b
0x012efb2c
0x012efb2d
0x012efb2e
0x012efb2f
0x012efb3a
0x012efb3b
0x012efb3e
0x012efb41
0x012efb44
0x012efb47
0x012efb4a
0x012efb4d
0x012efb53
0x0132bdcb
0x0132bdcb
0x012efb59
0x012efb5b
0x012efb5b
0x012efb5e
0x0132bdd5
0x0132bdd8
0x00000000
0x0132bdda
0x00000000
0x0132bdda
0x012efb64
0x012efb64
0x012efb64
0x012efb67
0x012efb6e
0x012efb70
0x012efb72
0x00000000
0x012efb78
0x012efb7a
0x012efb7a
0x012efb7d
0x012efb80
0x0132bddf
0x0132bde1
0x00000000
0x0132bde3
0x00000000
0x0132bde3
0x012efb86
0x012efb86
0x012efb86
0x012efb8b
0x012efb90
0x012efb92
0x012efb94
0x012efb9a
0x012efb9b
0x012efba1
0x0132bde8
0x0132bdeb
0x0132bded
0x0132beb5
0x0132beb5
0x0132bebb
0x0132bebd
0x0132bec3
0x0132bed2
0x0132bedd
0x0132bedd
0x0132beed
0x00000000
0x0132bdf3
0x0132bdfe
0x0132be06
0x0132be0b
0x0132be0d
0x0132be0f
0x0132be14
0x0132be19
0x0132be20
0x0132be25
0x0132be27
0x0132be35
0x0132be39
0x0132be46
0x0132be4f
0x0132be54
0x0132be56
0x0132bef8
0x0132bef8
0x00000000
0x0132be5c
0x0132be5c
0x0132be60
0x00000000
0x0132be66
0x0132be66
0x0132be7f
0x0132be84
0x0132be87
0x0132be89
0x0132be8b
0x0132be99
0x0132be9d
0x0132bea0
0x0132beac
0x0132beaf
0x0132beb1
0x0132beb3
0x0132beb3
0x00000000
0x0132bea2
0x0132bea2
0x00000000
0x0132bea2
0x0132be8d
0x0132be8d
0x0132be92
0x00000000
0x0132be92
0x0132be8b
0x0132be60
0x0132be3b
0x0132be3b
0x0132be3e
0x00000000
0x0132be40
0x0132be40
0x0132be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0132be44
0x0132be3e
0x0132be29
0x0132be29
0x00000000
0x0132be29
0x0132be27
0x00000000
0x012efba7
0x012efba7
0x012efbab
0x0132bf02
0x012efbb1
0x012efbb1
0x012efbb8
0x012efbbd
0x012efbbd
0x012efbbf
0x012efbbf
0x012efbc5
0x012efbcb
0x012efbf8
0x012efbf8
0x012efbfa
0x00000000
0x012efc00
0x012efc00
0x012efc03
0x00000000
0x012efc09
0x012efc09
0x012efc0f
0x012efc15
0x012efc23
0x012efc23
0x012efc25
0x012efc27
0x012efc75
0x012efc7c
0x012efc84
0x00000000
0x012efc29
0x012efc29
0x012efc2d
0x012efc30
0x0132bf0f
0x00000000
0x012efc36
0x012efc38
0x012efc3b
0x012efc41
0x0132bf17
0x0132bf19
0x0132bf48
0x0132bf4b
0x00000000
0x0132bf1b
0x0132bf22
0x0132bf24
0x0132bf26
0x00000000
0x0132bf2c
0x0132bf37
0x0132bf39
0x0132bf3b
0x00000000
0x0132bf41
0x0132bf41
0x0132bf41
0x0132bf41
0x0132bf45
0x00000000
0x0132bf45
0x0132bf3b
0x0132bf26
0x00000000
0x012efc47
0x012efc47
0x012efc49
0x012efcb2
0x012efcb4
0x012efcb6
0x012efcdc
0x012efcdc
0x00000000
0x012efcb8
0x012efcc3
0x012efcc5
0x012efcc7
0x00000000
0x012efcc9
0x012efcc9
0x012efccd
0x00000000
0x012efccd
0x012efcc7
0x00000000
0x012efc4b
0x012efc4b
0x012efc4e
0x012efc4e
0x012efc51
0x012efc51
0x012efc54
0x012efc5a
0x012efc5c
0x012efc5f
0x012efc61
0x012efc63
0x012efc65
0x012efc67
0x012efc6e
0x012efc72
0x012efc72
0x012efc72
0x012efc72
0x012efc67
0x012efc61
0x00000000
0x012efc5a
0x012efc49
0x012efc41
0x012efc30
0x012efc27
0x012efc03
0x012efbcd
0x012efbd3
0x012efbd9
0x012efbdc
0x012efbde
0x012efc99
0x012efc9b
0x012efc9d
0x012efcd5
0x012efcd5
0x012efc89
0x012efc89
0x00000000
0x012efc9f
0x012efc9f
0x012efca3
0x00000000
0x012efca3
0x00000000
0x012efbe4
0x012efbe4
0x012efbe4
0x012efbe4
0x012efbe9
0x012efbf2
0x00000000
0x012efbf2
0x012efbde
0x012efbcb
0x012efbab
0x012efc8b
0x012efc8b
0x012efc8c
0x012efb80
0x012efb72
0x012efb5e
0x012efc8d
0x012efc91
0x012efadf
0x012efadf
0x012efae1
0x012efae4
0x012efae7
0x012efaec
0x012efaf8
0x012efb00
0x012efb07
0x012efb0f
0x012efb0f
0x012efb07
0x00000000
0x012efaf8
0x012efadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0132BE0F

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 2782fbde9382dd3ba6c2adf60335cf6f603404d72ac23796474a1081d3ec8ed0
Instruction ID: 3298f8111b0ac182522adbb25e7e7ea68b73e189a53eb276aac4ad845e46747a
Opcode Fuzzy Hash: 2782fbde9382dd3ba6c2adf60335cf6f603404d72ac23796474a1081d3ec8ed0
Instruction Fuzzy Hash: 57A14571B20656CBEB21DF68C558BBAB7E4AF48714F54456DEA06CB280EB30D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E012B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x13a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x13a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E012F97C0();
				}
				if( *0x13a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E012E1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E012D7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0134FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E012F9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E012EE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0130DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x13a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x13a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E012F9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E012F95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E012D7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E012D7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01337016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0134FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x13a5350;
							if(_t109 != 0x13a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0134FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01345720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x012b2d8a
0x012b2d8a
0x012b2d92
0x012b2d96
0x012b2d9e
0x012b2da0
0x012b2da3
0x012b2da5
0x012b2da8
0x012b2dab
0x012b2db2
0x0130f9aa
0x0130f9ab
0x0130f9ae
0x0130f9ae
0x012b2db8
0x012b2dc2
0x0130f9b9
0x0130f9be
0x0130f9bf
0x0130f9bf
0x012b2dcf
0x0130f9c9
0x012b2dd5
0x012b2dd5
0x012b2dd5
0x012b2dde
0x012b2de1
0x012b2e70
0x012b2e72
0x012b2e72
0x012b2de7
0x012b2deb
0x012b2e7c
0x012b2e83
0x012b2e85
0x012b2e8b
0x012b2e8d
0x012b2e92
0x012b2e92
0x012b2e85
0x012b2df1
0x012b2df7
0x012b2df9
0x012b2df9
0x012b2dfc
0x012b2dff
0x012b2e02
0x00000000
0x012b2e05
0x012b2e0c
0x0130f9d9
0x012b2e12
0x012b2e12
0x012b2e12
0x012b2e1a
0x0130f9e3
0x0130f9e9
0x0130f9f0
0x0130f9f6
0x0130f9f8
0x0130f9f8
0x0130f9f0
0x012b2e23
0x0130fa02
0x0130fa03
0x0130fa05
0x0130fa06
0x00000000
0x012b2e29
0x012b2e29
0x012b2e2e
0x012b2e34
0x012b2e3e
0x00000000
0x00000000
0x012b2e44
0x012b2e47
0x012b2e4d
0x00000000
0x00000000
0x012b2e4f
0x012b2e54
0x00000000
0x00000000
0x012b2e5a
0x012b2e5f
0x012b2e9a
0x012b2ea4
0x012b2ea5
0x012b2ea8
0x012b2eaf
0x012b2eb2
0x012b2eb5
0x0130fae9
0x0130faeb
0x0130faed
0x0130faef
0x0130faf7
0x0130faf8
0x0130fafd
0x0130faff
0x0130fb04
0x0130fb04
0x0130faff
0x012b2ec0
0x012b2ec4
0x012b2ec6
0x012b2ec8
0x0130fb14
0x0130fb18
0x0130fb1e
0x0130fb21
0x0130fb21
0x012b2ece
0x012b2ece
0x012b2ece
0x012b2ed7
0x012b2e61
0x012b2e63
0x0130fa6b
0x0130fa71
0x0130fa76
0x0130fa78
0x0130fa8a
0x0130fa7a
0x0130fa83
0x0130fa83
0x0130fa8f
0x0130fa91
0x0130fa97
0x0130fa9d
0x0130faa4
0x0130faaa
0x0130faaf
0x0130fab1
0x0130fac3
0x0130fab3
0x0130fabc
0x0130fabc
0x0130fac8
0x0130facb
0x0130fadf
0x0130fadf
0x0130facb
0x0130faa4
0x0130fa91
0x012b2e6f
0x012b2e6f
0x012b2e5f
0x0130fa13
0x0130fa15
0x0130fa17
0x0130fa1f
0x0130fa21
0x0130fa22
0x0130fa25
0x0130fa28
0x0130fa2f
0x0130fa2f
0x0130fa2a
0x0130fa2a
0x0130fa2a
0x0130fa31
0x0130fa34
0x0130fa36
0x0130fa3c
0x0130fa3e
0x0130fa41
0x0130fa43
0x0130fa45
0x0130fa45
0x0130fa41
0x0130fa3c
0x0130fa4a
0x0130fa4f
0x0130fa51
0x0130fa53
0x0130fa56
0x0130fa5b
0x0130fa5e
0x00000000
0x0130fa5e
0x012b2e23

Strings

RTL: Re-Waiting, xrefs: 0130FA4A

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 4f06b5a3f3c4c136d185218d135e7d50f5f9732241510ee67a1cb1d8655133d2
Instruction ID: 109b04e42043cfad5225665b4936c694fb2eabf44f47c72fe4952d0121d0dd01
Opcode Fuzzy Hash: 4f06b5a3f3c4c136d185218d135e7d50f5f9732241510ee67a1cb1d8655133d2
Instruction Fuzzy Hash: 07610431A10706DFEB33DB6CC894BBE7BE8EB45758F140669E611972C1C774B9818B81

Uniqueness

Uniqueness Score: -1.00%

Function 01380EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01380EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0137FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01381074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E012F9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0137A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0137A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x13a8b04 >> 0x14) + (_v44 -  *0x13a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E012D7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0137138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E012D7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0136FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x13a8724 & 0x00000008) != 0) {
						E013752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013815B5(0x13a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01380eb7
0x01380eb9
0x01380ec0
0x01380ec2
0x01380ecd
0x0138105b
0x0138105b
0x01381061
0x01381066
0x01381066
0x0138106b
0x01381073
0x01381073
0x01380ed3
0x01380ed6
0x01380edc
0x01380ee0
0x01380ee7
0x01380ef0
0x01380ef5
0x01380efa
0x01380efc
0x01380efd
0x01380f03
0x01380f04
0x01380f06
0x01380f07
0x01380f09
0x01380f0e
0x01380f14
0x01380f23
0x01380f2d
0x01380f34
0x01380f34
0x01380f14
0x01380f52
0x00000000
0x00000000
0x01380f58
0x01380f73
0x01380f74
0x01380f79
0x01380f7d
0x01380f80
0x01380f86
0x01380fab
0x01380fb5
0x01380fc6
0x01380fd1
0x01380fe3
0x01380fd3
0x01380fdc
0x01380fdc
0x01380feb
0x01381009
0x01381009
0x01381015
0x01381027
0x01381017
0x01381020
0x01381020
0x0138102f
0x0138103c
0x0138103c
0x01381048
0x01381050
0x01381050
0x01381055
0x00000000
0x01381055
0x01380f88
0x01380f9e
0x01380fa2
0x01380fa9
0x00000000
0x00000000
0x00000000
0x01380fa9
0x00000000

Strings

`, xrefs: 01380F16

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 57ae7b60ae23352fbcbeeb9ec5dca2b1b5e314819a356a9239b6dc57323713f4
Instruction ID: b674d892fa4a90f707c8f742bdbda2a72fa612fd460408bcee3ccff88d905618
Opcode Fuzzy Hash: 57ae7b60ae23352fbcbeeb9ec5dca2b1b5e314819a356a9239b6dc57323713f4
Instruction Fuzzy Hash: 7B5182B13043429FD725EF28D884B1BBBE9EBC4718F04492CF55697291D775E80AC761

Uniqueness

Uniqueness Score: -1.00%

Function 012EF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E012D4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E012F9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E012F9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E012F95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xff2d281a
							_t109 = L012D4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000ff2d
								E012FF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000ff2d
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E012F95D0();
										L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x012ef0d3
0x012ef0d9
0x012ef0e0
0x012ef0e7
0x012ef0f2
0x012ef0f4
0x012ef0f8
0x012ef100
0x012ef108
0x012ef10d
0x012ef115
0x012ef116
0x012ef11f
0x012ef123
0x012ef124
0x012ef12c
0x012ef130
0x012ef134
0x012ef13d
0x012ef144
0x012ef14b
0x012ef152
0x0132bab0
0x0132bab0
0x012ef158
0x012ef158
0x012ef15a
0x012ef160
0x012ef165
0x012ef166
0x012ef16f
0x012ef173
0x0132baa7
0x0132baa7
0x0132baab
0x00000000
0x012ef179
0x012ef179
0x012ef18d
0x012ef191
0x0132baa2
0x00000000
0x012ef197
0x012ef19b
0x012ef1a2
0x012ef1a9
0x012ef1af
0x012ef1b2
0x012ef1b6
0x012ef1b9
0x012ef1c0
0x012ef1c4
0x012ef1d8
0x012ef1df
0x012ef1e3
0x012ef1e6
0x012ef1eb
0x012ef1ee
0x012ef1f4
0x012ef20f
0x0132bab7
0x0132babb
0x0132bacc
0x0132bad1
0x012ef215
0x012ef218
0x012ef226
0x012ef22b
0x00000000
0x012ef22b
0x012ef1f6
0x012ef1f6
0x012ef1f9
0x012ef1fb
0x012ef1fb
0x012ef1f4
0x012ef191
0x012ef173
0x012ef152
0x012ef203

Strings

@, xrefs: 012EF124

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 20ed7734146b956d24a07eca4851ed11de3dbf151aa7044ddc282e7a6983701a
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 80516872514711AFD320DF29C841A6BBBF8FF58714F00892EFA9587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01333540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01333540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x13ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E012F0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01333706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E012FFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01333540;
						E012FFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0130DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01340C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E012F97C0();
					}
					return E012FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01333971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01333884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E012FFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E012F9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01333787(_a4,  &_v352, _t80);
						}
					}
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E012F95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01333552
0x0133355a
0x0133355d
0x01333566
0x01333567
0x0133357e
0x0133358f
0x013335a1
0x013335a5
0x0133366b
0x0133366b
0x0133366d
0x01333672
0x01333679
0x01333685
0x0133368d
0x0133369d
0x013336a7
0x013336b8
0x013336c6
0x013336c7
0x013336dc
0x013336e1
0x013336e7
0x013336e9
0x013336e9
0x01333703
0x01333703
0x013335b5
0x013335c0
0x013335c4
0x00000000
0x00000000
0x013335ca
0x013335d7
0x013335e2
0x013335e6
0x013335e8
0x013335f5
0x013335fa
0x01333603
0x01333604
0x01333609
0x0133360a
0x01333612
0x01333613
0x0133361e
0x01333622
0x01333628
0x0133362f
0x0133362f
0x01333636
0x01333638
0x0133363b
0x01333642
0x01333642
0x01333636
0x01333657
0x01333657
0x0133365c
0x01333662
0x01333669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0133358F

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 63215f9e8f37a3554ed51fc50bd031e08b0b3767ffe2a01fa7d49ea61af66b17
Instruction ID: 78434e49bf5ee9eb54c4fa676e8d9473f0be9072383dc6982f3a926c5dcfcc18
Opcode Fuzzy Hash: 63215f9e8f37a3554ed51fc50bd031e08b0b3767ffe2a01fa7d49ea61af66b17
Instruction Fuzzy Hash: 694124B291052D9FDF219A54CC84FEEB77CAB54718F0085A5E709AB240DB309E888F98

Uniqueness

Uniqueness Score: -1.00%

Function 013805AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E013805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E012F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0137A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0137A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01381293(_t79, _v40, E013807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E012D7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0137138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x013805c5
0x013805ca
0x013805d3
0x013806db
0x013806db
0x013806dd
0x013806e3
0x013806e3
0x013805dd
0x013805e7
0x013805f6
0x01380600
0x01380607
0x01380610
0x01380615
0x0138061a
0x0138061c
0x0138061e
0x01380624
0x01380625
0x01380627
0x01380628
0x01380631
0x01380640
0x0138064d
0x01380654
0x01380654
0x01380631
0x0138066d
0x01380674
0x00000000
0x00000000
0x01380692
0x0138069e
0x013806b0
0x013806a0
0x013806a9
0x013806a9
0x013806b8
0x013806d6
0x013806d6
0x00000000

Strings

`, xrefs: 01380633

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 563baad97dbfeed2a72fe587ffb1ca106ad62b88d3805e93a41733f5974c873c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: C231E6326047466BE724EF28CD45F9B7BD9EBC476CF184129FA54AB280D770E908C791

Uniqueness

Uniqueness Score: -1.00%

Function 01333884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01333884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E012F9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L012D4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E012F9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01333893
0x01333896
0x01333899
0x0133389f
0x013338a0
0x013338a4
0x013338a9
0x013338ac
0x013338ad
0x013338ae
0x013338af
0x013338b1
0x013338b4
0x013338bb
0x013338bc
0x013338bd
0x013338c4
0x013338c8
0x013338ca
0x013338ca
0x013338d5
0x0133393e
0x01333940
0x01333942
0x01333952
0x01333954
0x01333961
0x01333961
0x01333967
0x0133396e
0x0133396e
0x01333947
0x0133394c
0x00000000
0x0133394c
0x013338ea
0x013338ee
0x013338f8
0x013338f9
0x013338ff
0x01333900
0x01333902
0x01333903
0x0133390b
0x0133390f
0x01333950
0x00000000
0x01333950
0x01333915
0x0133391d
0x0133391d
0x01333922
0x01333926
0x00000000
0x01333928
0x0133392b
0x0133392b
0x01333935
0x01333937
0x01333937
0x00000000
0x01333935
0x01333926
0x013338f0
0x00000000

Strings

BinaryName, xrefs: 013338B4

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 4b3455764d72311a4dbba5d0ab3d400c83c827d5300db532ad65e2c78026072a
Instruction ID: edfe6a6713b29e15715d026083f4ceae4cd9a598c584d8d61da432f045852413
Opcode Fuzzy Hash: 4b3455764d72311a4dbba5d0ab3d400c83c827d5300db532ad65e2c78026072a
Instruction Fuzzy Hash: C731D43290151AEFEB15DA58C945E7BFB74FF80724F018169EA15AB250D6309E44C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 012ED294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E012ED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E012D4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E012FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E012F98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E012F95D0();
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x012ed29c
0x012ed2a6
0x012ed2b1
0x012ed2b5
0x012ed2b6
0x012ed2bc
0x012ed2bd
0x012ed2be
0x012ed2bf
0x012ed2c2
0x012ed2c4
0x012ed2cc
0x012ed384
0x012ed34b
0x012ed34f
0x012ed350
0x012ed351
0x012ed35c
0x012ed35c
0x012ed2d6
0x012ed2da
0x012ed2e1
0x012ed361
0x012ed369
0x012ed36d
0x012ed2e3
0x012ed2e3
0x012ed2e3
0x012ed2e5
0x012ed2ed
0x012ed2f5
0x012ed2fa
0x012ed302
0x012ed303
0x012ed30b
0x012ed30f
0x012ed313
0x012ed318
0x012ed31c
0x012ed320
0x012ed379
0x012ed37d
0x00000000
0x00000000
0x0132affe
0x0132b001
0x0132b011
0x00000000
0x012ed322
0x012ed322
0x012ed330
0x012ed337
0x012ed35d
0x012ed339
0x012ed33f
0x012ed38c
0x012ed38c
0x012ed33f
0x012ed349
0x00000000
0x012ed349

Strings

@, xrefs: 012ED303

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6930a4ca070a95164605044b2721e88077f51b03a34ec4e75e83bbce1e4329e1
Instruction ID: 09cc68ced16dffc8938a1a60394d205b4a49cd966689cd210f764363a1042c0e
Opcode Fuzzy Hash: 6930a4ca070a95164605044b2721e88077f51b03a34ec4e75e83bbce1e4329e1
Instruction Fuzzy Hash: 7E31E2B556830A9FC321DF68C985A6BFBE8EB85654F80092EFA9583250D634DD04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 012C1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E012FBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E012FA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E012FA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L012D4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x012c1b8f
0x012c1b9a
0x012c1b9c
0x012c1b9e
0x012c1ba3
0x01317010
0x01317010
0x00000000
0x012c1ba9
0x012c1ba9
0x012c1bae
0x00000000
0x012c1bc5
0x012c1bca
0x012c1bcf
0x012c1bd0
0x012c1bd1
0x012c1bd2
0x012c1bd6
0x012c1bdc
0x012c1be0
0x01316ffc
0x01317000
0x00000000
0x01317006
0x01317009
0x01317009
0x012c1be6
0x012c1bec
0x012c1c0b
0x012c1c0b
0x012c1c0c
0x012c1c11
0x012c1c12
0x012c1c15
0x012c1c1b
0x012c1c1f
0x012c1c31
0x012c1c33
0x01317026
0x01317026
0x012c1c21
0x012c1c24
0x012c1c24
0x012c1bee
0x012c1bee
0x012c1bf2
0x012c1c3a
0x012c1bf4
0x012c1bf4
0x012c1c05
0x012c1c05
0x012c1c09
0x012c1c3e
0x00000000
0x00000000
0x00000000
0x012c1c09
0x012c1bec
0x012c1be0
0x012c1bae
0x012c1c2e

Strings

WindowsExcludedProcs, xrefs: 012C1BC5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 1629adae83b566dfdeaa50d4cda5c91e30bd38f2eeaf63f556d79902d23c48eb
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: F5213A7B621219EBDB26DA59C841FABBBACEF41E50F054529FF048B201D630DE11C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 012DF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x012df71d
0x012df722
0x012df726
0x01324770
0x012df765
0x012df769
0x012df769
0x012df732
0x0132477a
0x00000000
0x0132477a
0x012df738
0x012df73a
0x012df73c
0x012df73f
0x012df746
0x012df778
0x012df7a9
0x012df7a9
0x012df754
0x012df75a
0x012df75d
0x012df75f
0x012df761
0x012df76f
0x012df771
0x012df771
0x012df76f
0x012df763
0x00000000
0x012df763
0x012df77d
0x012df7a3
0x012df7a5
0x00000000
0x012df7a5
0x012df77f
0x012df782
0x012df784
0x012df786
0x00000000
0x00000000
0x00000000
0x012df788
0x012df748
0x012df74d
0x012df78d
0x012df793
0x012df7b7
0x012df7bc
0x00000000
0x012df7bc
0x012df798
0x00000000
0x00000000
0x012df79d
0x012df7b0
0x00000000
0x012df7b0
0x012df79f
0x00000000
0x012df74f
0x012df74f
0x00000000
0x012df74f

Strings

Actx , xrefs: 012DF73F

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 7ab50d66932572bd47a3dc323e66335ed53b2ca713671d39c68b6ca0f92d1237
Instruction ID: 9434512903f78fb83d3d29e882c0abf5dff0d07bc8f77df4d0cc6f2d43f0c9b8
Opcode Fuzzy Hash: 7ab50d66932572bd47a3dc323e66335ed53b2ca713671d39c68b6ca0f92d1237
Instruction Fuzzy Hash: C711D0343387438BFB2D4E1CCB917B67695AB85224F27452AE667CB391DAB0C843C348

Uniqueness

Uniqueness Score: -1.00%

Function 01368DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01368DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1390d50);
				E0130D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01345720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0130DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0130DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0130D130(_t34, _t39, _t40);
			}

0x01368df1
0x01368df1
0x01368df1
0x01368df1
0x01368df1
0x01368df1
0x01368df3
0x01368df8
0x01368dfd
0x01368e00
0x01368e0e
0x01368e2a
0x01368e36
0x01368e38
0x01368e3c
0x01368e46
0x01368e46
0x01368e36
0x01368e50
0x01368e56
0x01368e59
0x01368e5c
0x01368e60
0x01368e67
0x01368e6d
0x01368e73
0x01368e74
0x01368eb1
0x01368ebd

Strings

Critical error detected %lx, xrefs: 01368E21

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 6987b544a14b1aaf4532fa79af8a302035a0bde3d2ad683c9b1ca45c454bfebd
Instruction ID: 8766c4c591b9bba736de9fcd21e400781dc0dac24cf37fa53d00f492327ecf8b
Opcode Fuzzy Hash: 6987b544a14b1aaf4532fa79af8a302035a0bde3d2ad683c9b1ca45c454bfebd
Instruction Fuzzy Hash: CE113975D15348DBDF29CFE8891579CBBF4AB18318F20825DE5296B282C3340601CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01385BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01385BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1391178);
				E0130D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01384C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E012FD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01385542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x13a60e8;
								if( *0x13a60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x13a60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E012F9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E012F6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E012FF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E012FF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E012FF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E012FFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E012FFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E012FF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E012FF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01384CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0130D130(_t427, _t494, _t511);
				}
			}

0x01385ba5
0x01385baa
0x01385baf
0x01385bb4
0x01385bb6
0x01385bbc
0x01385bbe
0x01385bc4
0x01385bcd
0x01385bd3
0x01385bd6
0x01385bdc
0x01385be0
0x01385be3
0x01385beb
0x01385bf2
0x01385bf8
0x01385bfe
0x01385c04
0x01385c0e
0x01385c18
0x01385c1f
0x01385c25
0x01385c2a
0x01385c2c
0x01385c32
0x01385c3a
0x01385c3f
0x01385c42
0x01385c48
0x01385c5b
0x01385c5b
0x01385c2c
0x01385cb7
0x01385cb9
0x01385cbf
0x01385cc2
0x01385cca
0x01385ccb
0x01385ccb
0x01385cd1
0x01385cd7
0x01385cda
0x01385ce1
0x01385ce4
0x01385ce7
0x01385ced
0x01385cf3
0x01385cf9
0x01385cff
0x01385d08
0x01385d0a
0x01385d0e
0x01385d10
0x00000000
0x00000000
0x01385d16
0x01385d1a
0x00000000
0x00000000
0x01385d20
0x01385d22
0x01385d25
0x01385d2f
0x01385d2f
0x01385d33
0x01385d3d
0x01385d49
0x01385d4b
0x00000000
0x00000000
0x01385d5a
0x01385d5d
0x01385d60
0x00000000
0x00000000
0x01385d66
0x01385d69
0x00000000
0x00000000
0x01385d6f
0x01385d6f
0x01385d73
0x01385d79
0x01385d7f
0x01385d86
0x01385d95
0x01385d98
0x01385dba
0x01385dcb
0x01385dce
0x01385dd3
0x01385dd6
0x01385dd8
0x01385de6
0x01385dec
0x01385dee
0x01385df1
0x01385df3
0x0138635a
0x0138635a
0x00000000
0x0138635a
0x01385dfe
0x01385e02
0x01385e05
0x01385e07
0x01385e10
0x01385e13
0x01385e1b
0x01385e1c
0x01385e21
0x01385e22
0x01385e23
0x01385e25
0x01385e2a
0x01385e2c
0x01385e2e
0x01385e36
0x01385e39
0x01385e42
0x01385e47
0x01385e4d
0x01385e54
0x01385e54
0x01385e54
0x01385e2e
0x01385e5c
0x01385e5f
0x01385e62
0x01385e64
0x01385e6b
0x01385e70
0x01385e7a
0x01385e7a
0x01385e7a
0x01385e6b
0x01385e7e
0x01385e7f
0x01385e7f
0x01385e81
0x01385e87
0x01385e8b
0x01385e8c
0x01385e8c
0x01385e8c
0x01385e9a
0x01385e9c
0x01385ea2
0x01385ea6
0x01385f50
0x01385f50
0x01385f57
0x01385f66
0x01385f66
0x01385f66
0x01385f68
0x01385f6a
0x013863d0
0x00000000
0x01385f70
0x01385f70
0x01385f91
0x01385f9c
0x01385f9e
0x01385fa4
0x01385fa6
0x0138638c
0x01386392
0x013863a1
0x013863a7
0x013863af
0x013863af
0x013863bd
0x013863d8
0x00000000
0x013863d8
0x01385fac
0x01385fb2
0x01385fb4
0x01385fbd
0x01385fc6
0x01385fce
0x01385fd4
0x01385fdc
0x01385fec
0x01385fed
0x01385fee
0x01385fef
0x01385ff9
0x01385ffa
0x01385ffb
0x01385ffc
0x01386000
0x01386004
0x01386012
0x01386012
0x01386018
0x01386019
0x0138601a
0x0138601b
0x0138601c
0x01386020
0x01386059
0x0138605c
0x01386061
0x01386061
0x01386022
0x01386022
0x01386022
0x01386025
0x0138602a
0x0138602b
0x01386031
0x01386037
0x01386038
0x0138603e
0x01386048
0x01386049
0x0138604a
0x0138604b
0x0138604c
0x0138604d
0x01386053
0x01386054
0x01386054
0x01386062
0x01386065
0x01386067
0x0138606a
0x01386070
0x01386075
0x01386076
0x01386081
0x01386087
0x01386095
0x01386099
0x0138609e
0x013860a4
0x013860ae
0x013860b0
0x013860b3
0x013860b6
0x013860b8
0x013860ba
0x013860ba
0x013860ba
0x013860ba
0x013860be
0x013860c0
0x013860c5
0x013860c5
0x013860c5
0x013860c6
0x013860cd
0x01386114
0x013860cf
0x013860cf
0x013860d4
0x013860d5
0x013860da
0x013860db
0x013860e1
0x013860e2
0x013860e8
0x013860f8
0x013860fd
0x013860fe
0x01386102
0x01386104
0x01386107
0x01386109
0x0138610b
0x0138610b
0x0138610b
0x0138610b
0x0138610f
0x0138610f
0x01386117
0x0138611a
0x0138611f
0x01386125
0x01386134
0x01386139
0x0138613f
0x01386146
0x01386148
0x0138614b
0x0138614d
0x0138614f
0x0138614f
0x0138614f
0x0138614f
0x01386153
0x01386159
0x01386159
0x0138615c
0x01386163
0x01386169
0x0138616c
0x01386172
0x01386181
0x01386186
0x01386187
0x0138618b
0x01386191
0x01386195
0x013861a3
0x013861bb
0x013861c0
0x013861c3
0x013861cc
0x013861d0
0x013861dc
0x013861de
0x013861e1
0x013861e4
0x013861e6
0x013861e8
0x013861e8
0x013861e8
0x013861e8
0x013861e6
0x013861ec
0x013861f3
0x01386203
0x01386209
0x0138620a
0x01386216
0x0138621d
0x01386227
0x01386241
0x01386246
0x0138624c
0x01386257
0x01386259
0x0138625c
0x0138625e
0x01386260
0x01386260
0x01386260
0x01386260
0x0138625e
0x01386264
0x01386267
0x01386269
0x01386315
0x01386315
0x0138631b
0x0138631e
0x01386324
0x01386327
0x0138632f
0x01386330
0x01386333
0x0138633a
0x0138633c
0x01386335
0x01386335
0x01386335
0x0138633f
0x01386342
0x0138634c
0x01386352
0x01386355
0x01386355
0x01386359
0x00000000
0x0138626f
0x01386275
0x01386275
0x01386278
0x0138627e
0x0138627e
0x01386281
0x01386287
0x0138628d
0x01386298
0x0138629c
0x013862a2
0x0138629e
0x0138629e
0x0138629e
0x013862a7
0x013862a7
0x013862aa
0x013862b0
0x013862f0
0x013862f0
0x013862f2
0x013862f8
0x013862fd
0x013862b2
0x013862b2
0x013862b2
0x013862b5
0x013862dd
0x013862e2
0x013862e5
0x013862b7
0x013862b8
0x013862bb
0x013862bd
0x013862c0
0x013862c4
0x013862cd
0x013862cd
0x013862c0
0x013862bb
0x013862b5
0x01386302
0x01386303
0x01386305
0x01386305
0x01386305
0x0138630c
0x0138630c
0x00000000
0x0138627e
0x01386269
0x01385eac
0x01385ebb
0x01385ebe
0x01385ecb
0x01385ecb
0x01385ece
0x01385ece
0x01385ed4
0x01385ed7
0x01385ed9
0x01385edb
0x01385edb
0x01385ee1
0x01385ee1
0x01385ee3
0x01385f20
0x01385f20
0x01385ee5
0x01385ee5
0x01385ee5
0x01385ee8
0x01385f11
0x01385f18
0x01385eea
0x01385eea
0x01385eed
0x01385ef2
0x01385ef8
0x01385efb
0x01385f0a
0x01385f0a
0x01385eed
0x01385ee8
0x01385f22
0x01385f28
0x00000000
0x00000000
0x01385f30
0x01385f31
0x01385f37
0x01385f3a
0x01385f3d
0x01385f44
0x00000000
0x00000000
0x00000000
0x01385f46
0x01385f48
0x01385f4d
0x00000000
0x01385f4d
0x01385dda
0x01385ddf
0x00000000
0x01385ddf
0x01385dd8
0x01385da7
0x01385da9
0x01385dac
0x01385dae
0x00000000
0x01385db4
0x01385db4
0x00000000
0x01385db4
0x01385dae
0x01385d88
0x01385d8d
0x01386363
0x01386369
0x0138636a
0x01386370
0x01386372
0x0138637a
0x0138637b
0x0138637d
0x00000000
0x00000000
0x0138637f
0x01386385
0x00000000
0x01386385
0x01385d38
0x01385d3b
0x00000000
0x00000000
0x00000000
0x01385d3b
0x01385d27
0x01385d29
0x00000000
0x00000000
0x00000000
0x01386360
0x00000000
0x01386360
0x01385c10
0x01385c10
0x013863da
0x013863e5
0x013863e5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d3d81ed768dd6b29e72e9babf097f2fd7f92434ff208c47d054fbba4c1fdb7
Instruction ID: ced78d408b596ae1e69cb52561b7cd614fdd018179187c711a3a9f9b43366a0b
Opcode Fuzzy Hash: 94d3d81ed768dd6b29e72e9babf097f2fd7f92434ff208c47d054fbba4c1fdb7
Instruction Fuzzy Hash: 0A425BB1910329CFDB24DF68C881BA9BBB1FF49308F1481AAD94DEB252D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012D4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012D4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x13ad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E012EF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E012D6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L012D4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E012D6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M012D45F8))) {
												case 0:
													_v568 = 0x1291078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x12911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L012D4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E012FF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E012FF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E012B52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E012CEB70(1, 0x13a79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E012CAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E012F95D0();
																			L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E012FB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E012F3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E012FB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x012d4128
0x012d4135
0x012d413c
0x012d4141
0x012d4145
0x012d4147
0x012d414e
0x012d4151
0x012d4159
0x012d415c
0x012d4160
0x012d4164
0x012d4168
0x012d416c
0x012d417f
0x012d4181
0x012d446a
0x012d446a
0x012d418c
0x012d4195
0x012d4199
0x012d4432
0x012d4439
0x012d443d
0x012d4442
0x012d4447
0x00000000
0x012d419f
0x012d41a3
0x012d41b1
0x012d41b9
0x012d41bd
0x012d45db
0x012d45db
0x00000000
0x012d41c3
0x012d41c3
0x012d41ce
0x012d41d4
0x0131e138
0x0131e13e
0x0131e169
0x0131e16d
0x0131e19e
0x0131e16f
0x0131e16f
0x0131e175
0x0131e179
0x0131e18f
0x0131e193
0x00000000
0x0131e199
0x00000000
0x0131e199
0x0131e193
0x00000000
0x00000000
0x00000000
0x012d41da
0x012d41da
0x012d41df
0x012d41e4
0x012d41ec
0x012d4203
0x012d4207
0x0131e1fd
0x012d4222
0x012d4226
0x0131e1f3
0x0131e1f3
0x012d422c
0x012d422c
0x012d4233
0x0131e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012d4239
0x012d4239
0x012d4239
0x012d4239
0x012d4233
0x012d4226
0x012d41ee
0x012d41ee
0x012d41f4
0x012d4575
0x0131e1b1
0x0131e1b1
0x00000000
0x012d457b
0x012d457b
0x012d4582
0x0131e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x012d4588
0x012d4588
0x012d458c
0x0131e1c4
0x0131e1c4
0x00000000
0x012d4592
0x012d4592
0x012d4599
0x0131e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x012d459f
0x012d459f
0x012d45a3
0x0131e1d7
0x0131e1e4
0x00000000
0x012d45a9
0x012d45a9
0x012d45b0
0x0131e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x012d45b6
0x012d45b6
0x012d45b6
0x00000000
0x012d45b6
0x012d45b0
0x012d45a3
0x012d4599
0x012d458c
0x012d4582
0x00000000
0x00000000
0x00000000
0x00000000
0x012d41f4
0x012d423e
0x012d4241
0x012d45c0
0x012d45c4
0x00000000
0x012d45ca
0x012d45ca
0x00000000
0x0131e207
0x0131e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x012d45d1
0x00000000
0x00000000
0x012d45ca
0x00000000
0x012d4247
0x012d4247
0x012d4247
0x012d4249
0x012d4249
0x012d4249
0x012d4251
0x012d4251
0x012d4257
0x012d425f
0x012d426e
0x012d4270
0x012d427a
0x0131e219
0x0131e219
0x012d4280
0x012d4282
0x012d4456
0x012d45ea
0x00000000
0x012d45f0
0x0131e223
0x00000000
0x0131e223
0x012d445c
0x012d445c
0x00000000
0x012d445c
0x00000000
0x012d4288
0x012d428c
0x0131e298
0x012d4292
0x012d4292
0x012d429e
0x012d42a3
0x012d42a7
0x012d42ac
0x0131e22d
0x012d42b2
0x012d42b2
0x012d42b9
0x012d42bc
0x012d42c2
0x012d42ca
0x012d42cd
0x012d42cd
0x012d42d4
0x012d433f
0x012d433f
0x012d42d6
0x012d42d6
0x012d42d9
0x012d42dd
0x012d42eb
0x0131e23a
0x012d42f1
0x012d4305
0x012d430d
0x012d4315
0x012d4318
0x012d431f
0x012d4322
0x012d432e
0x012d433b
0x012d433b
0x00000000
0x012d432e
0x012d42eb
0x012d434c
0x012d434e
0x012d4352
0x012d4359
0x012d435e
0x012d4361
0x012d436e
0x012d438a
0x012d438e
0x012d4396
0x012d439e
0x012d43a1
0x012d43ad
0x012d43bb
0x012d43bb
0x012d43ad
0x012d436e
0x012d43bf
0x012d43c5
0x012d4463
0x012d4463
0x012d43ce
0x012d43d5
0x012d43d9
0x012d43df
0x012d4475
0x012d4479
0x012d4491
0x012d4491
0x012d4479
0x012d43e5
0x012d43eb
0x012d43f4
0x012d43f6
0x012d43f9
0x012d43fc
0x012d43ff
0x012d44e8
0x012d44ed
0x012d44f3
0x0131e247
0x00000000
0x012d44f9
0x012d4504
0x012d4508
0x012d450f
0x0131e269
0x00000000
0x012d4515
0x012d4519
0x012d4531
0x012d4534
0x012d4537
0x012d453e
0x012d4541
0x012d454a
0x0131e255
0x0131e255
0x0131e25b
0x0131e25e
0x0131e261
0x0131e261
0x012d4555
0x012d4559
0x012d455d
0x0131e26d
0x0131e270
0x0131e274
0x0131e27a
0x0131e27d
0x0131e28e
0x0131e28e
0x012d4563
0x012d4563
0x012d4569
0x012d4569
0x00000000
0x012d455d
0x012d450f
0x00000000
0x012d44f3
0x012d43ff
0x012d4405
0x012d4405
0x012d4405
0x012d42ac
0x012d428c
0x012d4282
0x012d4407
0x012d440d
0x0131e2af
0x0131e2af
0x012d4413
0x012d4413
0x00000000
0x012d41d4
0x00000000
0x012d41c3
0x012d41bd
0x012d4415
0x012d4415
0x012d4416
0x012d4417
0x012d4429
0x012d416e
0x012d416e
0x012d4175
0x012d4498
0x012d449f
0x0131e12d
0x00000000
0x0131e133
0x00000000
0x0131e133
0x012d44a5
0x012d44a5
0x012d44aa
0x00000000
0x012d44bb
0x012d44ca
0x012d44d6
0x012d44d7
0x012d44d8
0x012d44e3
0x012d44e3
0x012d44aa
0x012d417b
0x012d417b
0x012d417b
0x00000000
0x012d417b
0x012d4175
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f85bbb9cfe39d54c9e9c72f6addefcd897f75c3fb8b1a5292ad42a432437b81
Instruction ID: 70db4a5c86e1a9ba39efab60774bc860bda8486d84a105911e6201e6f1f01a59
Opcode Fuzzy Hash: 4f85bbb9cfe39d54c9e9c72f6addefcd897f75c3fb8b1a5292ad42a432437b81
Instruction Fuzzy Hash: FEF1B1706283928FC729EF18C484A7AB7E1FF98718F54492EF986C7650E735D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012E20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012E20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x13a8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E012E2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E012E2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E012B58EC(_t240);
									_t221 =  *0x13a5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x13a5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E012F4A2C(0x13a6e40, 0x12f4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E012D7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1295c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E012EF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E012EF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01337016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L012D2400(_t267 + 0x20);
															}
															L012D2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E012E2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E012D2280(_t134, 0x13a8608);
									__eflags =  *0x13a6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E012CFFB0(_t198, _t241, 0x13a8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x13a6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x13a8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E012E6B90(_t210,  &_v64);
										_t262 =  *0x13a8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E012EE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E012F97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E012F006A(0x13a8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x13a8608);
												E012FB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x13a6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x13a6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E012CFFB0(_t198, _t240, 0x13a8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E012F00C2(0x13a8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x012e20a0
0x012e20a8
0x012e20ad
0x012e20b3
0x012e20b8
0x012e20c2
0x012e20c7
0x012e20cb
0x012e20d2
0x012e2263
0x012e2266
0x01325836
0x01325836
0x00000000
0x012e226c
0x012e226c
0x012e2270
0x012e2274
0x012e20e2
0x012e20e2
0x012e20e6
0x012e20ee
0x013257dc
0x013257de
0x013257ec
0x013257ec
0x013257f1
0x013257f3
0x013257f8
0x00000000
0x013257f8
0x013257e0
0x013257e4
0x013257ea
0x00000000
0x00000000
0x00000000
0x013257ea
0x012e20f4
0x012e20f4
0x012e20f8
0x012e20f8
0x012e20fc
0x012e2100
0x012e2106
0x012e2201
0x012e2206
0x012e220b
0x012e220e
0x012e22a9
0x012e22ac
0x00000000
0x00000000
0x012e22b2
0x012e22b5
0x01325801
0x01325806
0x00000000
0x00000000
0x01325810
0x01325815
0x01325818
0x00000000
0x00000000
0x0132581e
0x012e22bb
0x012e22bb
0x012e2218
0x012e2218
0x012e221c
0x012e2220
0x012e2222
0x012e22c2
0x012e22c4
0x012e22dc
0x012e22dc
0x012e22e1
0x00000000
0x00000000
0x00000000
0x012e22e7
0x012e22c8
0x012e22cd
0x012e22d3
0x012e22d6
0x01325823
0x01325825
0x01325827
0x00000000
0x00000000
0x0132582d
0x00000000
0x0132582d
0x00000000
0x012e2228
0x012e2228
0x00000000
0x012e2228
0x012e2222
0x012e2214
0x012e2214
0x00000000
0x012e2114
0x012e2114
0x012e2114
0x012e211a
0x012e211c
0x012e2348
0x012e234d
0x01325840
0x01325845
0x01325848
0x0132584e
0x0132584e
0x01325848
0x012e2353
0x012e2355
0x012e2388
0x012e2388
0x012e2368
0x012e236a
0x012e236c
0x012e238f
0x00000000
0x012e236e
0x012e236e
0x012e218e
0x012e218e
0x012e2191
0x012e2195
0x01325a03
0x01325a06
0x01325a0c
0x01325a0f
0x01325a11
0x01325a13
0x01325a13
0x01325a19
0x01325a1f
0x00000000
0x012e219b
0x012e219b
0x012e21a0
0x012e2282
0x012e2284
0x012e2284
0x012e2284
0x012e2284
0x012e21a6
0x012e21a9
0x012e21ac
0x012e21ae
0x012e21b3
0x012e228b
0x012e2290
0x012e2379
0x012e2296
0x012e2298
0x012e2298
0x012e2290
0x012e21b9
0x012e21be
0x012e22a2
0x012e22a2
0x012e21c4
0x012e21c8
0x012e21cc
0x012e21d0
0x012e21d4
0x012e21de
0x012e21e3
0x01325a29
0x01325a2c
0x00000000
0x00000000
0x01325a3b
0x00000000
0x012e21e9
0x012e21e9
0x012e21e9
0x012e21ee
0x012e21f1
0x01325a45
0x01325a4b
0x01325a52
0x01325a58
0x01325a5d
0x01325a5f
0x01325a71
0x01325a61
0x01325a6a
0x01325a6a
0x01325a76
0x01325a79
0x01325a7f
0x01325a83
0x01325a85
0x01325a87
0x01325a87
0x01325a8c
0x01325a91
0x01325a97
0x01325a9f
0x01325aa0
0x01325aa1
0x01325aa6
0x01325aab
0x01325ab1
0x01325ab3
0x01325ab9
0x01325aca
0x01325ad4
0x01325ad4
0x01325ade
0x01325ade
0x01325aab
0x01325a79
0x01325a52
0x012e21f7
0x012e21f9
0x012e21fe
0x012e21fe
0x012e21e3
0x012e2195
0x012e236c
0x012e2122
0x012e2122
0x012e2124
0x012e2231
0x012e2236
0x012e2236
0x012e2238
0x012e2238
0x012e2240
0x012e2242
0x012e2244
0x013259fc
0x012e218c
0x012e218c
0x00000000
0x012e218c
0x012e224a
0x012e224f
0x012e2256
0x012e2304
0x012e2309
0x012e230f
0x012e231e
0x012e231e
0x012e231e
0x012e2320
0x012e2325
0x012e232a
0x012e232c
0x012e233e
0x012e233e
0x00000000
0x012e232c
0x012e2311
0x012e2317
0x012e231a
0x012e231c
0x012e2380
0x012e2380
0x012e2380
0x012e2384
0x00000000
0x00000000
0x012e2386
0x00000000
0x012e231c
0x012e225c
0x012e225c
0x00000000
0x012e225c
0x012e212a
0x012e2134
0x012e2138
0x012e213d
0x01325858
0x01325863
0x01325863
0x01325867
0x0132586a
0x00000000
0x00000000
0x0132586c
0x0132586c
0x01325871
0x01325875
0x01325877
0x01325997
0x0132599c
0x013259a1
0x013259a7
0x013259a7
0x00000000
0x013259a7
0x0132587d
0x00000000
0x0132588b
0x0132588b
0x01325890
0x01325892
0x01325894
0x01325899
0x0132589b
0x013258a0
0x013258a0
0x013258aa
0x013258b2
0x013258b6
0x013258be
0x013258c6
0x013258c9
0x0132590d
0x01325917
0x0132591a
0x0132591c
0x01325920
0x01325928
0x0132592a
0x0132592c
0x0132592e
0x0132592e
0x013258cb
0x013258cd
0x013258d8
0x013258e0
0x013258f4
0x013258fe
0x013258fe
0x0132593a
0x0132593e
0x01325940
0x01325942
0x00000000
0x01325944
0x01325944
0x01325949
0x0132594e
0x0132594e
0x01325953
0x0132595b
0x01325976
0x01325976
0x0132597a
0x0132597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01325981
0x01325981
0x01325981
0x01325983
0x01325988
0x0132598d
0x01325991
0x01325991
0x00000000
0x0132595d
0x0132595d
0x01325963
0x01325965
0x00000000
0x00000000
0x00000000
0x00000000
0x01325967
0x01325967
0x0132596b
0x0132596d
0x00000000
0x00000000
0x0132596f
0x01325971
0x01325971
0x01325974
0x00000000
0x00000000
0x00000000
0x01325974
0x00000000
0x01325967
0x0132595b
0x01325942
0x01325863
0x012e2143
0x012e2143
0x012e2149
0x012e214f
0x012e22f1
0x012e22f6
0x00000000
0x012e2173
0x012e2173
0x012e217d
0x012e2181
0x012e2186
0x013259ae
0x013259b2
0x013259b5
0x013259b7
0x013259ba
0x013259cd
0x013259d1
0x013259d5
0x013259d9
0x013259db
0x00000000
0x00000000
0x013259dd
0x013259dd
0x013259e1
0x013259e4
0x013259e7
0x013259ee
0x013259ee
0x013259f3
0x013259f3
0x00000000
0x012e2186
0x012e214f
0x012e2106
0x012e2266
0x012e20d8
0x012e20da
0x012e20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d699b693991dbff1e236967c5c69d5ded79047cb10420aaaafb3aec5a2cf726a
Instruction ID: 5558c50b445751cbb5fc8c6b534ca079c0fbcf9f5745fba1cfe9a22a0f611eed
Opcode Fuzzy Hash: d699b693991dbff1e236967c5c69d5ded79047cb10420aaaafb3aec5a2cf726a
Instruction Fuzzy Hash: 49F15A31628352CFE726DF2CC44476A7BE9BF85328F48851DEA968B281D774D940CB82

Uniqueness

Uniqueness Score: -1.00%

Function 012C849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012C849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x138f9c0);
				E0130D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x13a7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E012CCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E012D2280( *[fs:0x30], 0x13a8550);
						_t139 =  *0x13a7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E012EF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E012CFFB0(_t193, _t235, 0x13a8550);
								L5:
								return E0130D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E012B1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x13a7b9c; // 0x0
							_t235 = L012D4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x13a7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E012EA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E012CFFB0(_t193, _t235, 0x13a8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L012D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L012D77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x13a7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x13a7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E012F37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x13a7b9c; // 0x0
									_t214 = L012D4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E012F37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x13a7b10 =  *0x13a7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x13a7b04 =  *0x13a7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L012D77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L012D77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x13a7b08 =  *0x13a7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E012F57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E012FF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L012D77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E012EA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L012D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E012F96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x012c849b
0x012c849b
0x012c849b
0x012c849b
0x012c849d
0x012c84a2
0x012c84a7
0x012c84b1
0x012c84d8
0x00000000
0x012c84b3
0x012c84c4
0x012c84c9
0x012c84cd
0x012c84cf
0x012c84cf
0x012c84d6
0x012c84e6
0x012c84e9
0x012c84ec
0x012c84ef
0x012c84f2
0x012c84f4
0x012c84fc
0x012c8501
0x012c8506
0x012c8509
0x012c86e0
0x012c86e5
0x012c86e8
0x012c86ed
0x012c86f0
0x012c86f2
0x01319afd
0x01319b02
0x012c84da
0x012c84df
0x012c84df
0x012c86fa
0x012c86fd
0x012c86fe
0x012c8701
0x012c8706
0x012c8709
0x012c870b
0x00000000
0x00000000
0x012c8711
0x012c8725
0x012c8727
0x012c872a
0x012c872c
0x01319af0
0x01319af5
0x012c8732
0x012c8732
0x012c8732
0x012c8735
0x012c8737
0x012c8515
0x012c8515
0x012c8518
0x012c851d
0x012c8523
0x012c8527
0x012c852b
0x012c8537
0x012c8539
0x012c853c
0x012c853e
0x012c868c
0x012c8691
0x012c8699
0x012c869b
0x012c8744
0x012c8748
0x012c86a1
0x012c86a1
0x012c86a1
0x012c86a4
0x012c86a8
0x01319bdf
0x01319bdf
0x012c86ae
0x012c86b0
0x00000000
0x012c86b6
0x00000000
0x01319be9
0x012c86b0
0x012c8544
0x012c854a
0x012c854d
0x012c8551
0x012c876e
0x012c8778
0x012c877b
0x012c8780
0x012c8557
0x012c8557
0x012c855d
0x012c855d
0x012c856b
0x012c856e
0x012c8570
0x012c8573
0x012c8576
0x012c8576
0x012c8579
0x012c857b
0x00000000
0x00000000
0x012c8581
0x012c85a0
0x012c85a2
0x012c85a5
0x012c85a7
0x01319b1b
0x01319b1b
0x012c862e
0x012c862e
0x012c8631
0x012c8631
0x012c8634
0x012c8636
0x012c8669
0x012c8669
0x012c866b
0x01319bbf
0x01319bc4
0x01319bc8
0x01319bce
0x01319bce
0x012c8671
0x012c8671
0x012c8674
0x012c8676
0x01319bae
0x01319bae
0x012c8676
0x012c867c
0x012c867e
0x012c8688
0x012c8688
0x00000000
0x012c867e
0x012c8638
0x012c8638
0x012c863b
0x012c863e
0x012c863f
0x012c8642
0x012c8645
0x012c8648
0x012c864d
0x01319b69
0x01319b6e
0x01319b7b
0x01319b81
0x01319b85
0x01319b89
0x01319ba7
0x01319b8b
0x01319b91
0x01319b9a
0x01319b9f
0x01319b9f
0x012c8788
0x012c878d
0x012c8763
0x012c8763
0x012c8766
0x00000000
0x012c8766
0x01319b70
0x00000000
0x01319b70
0x012c8656
0x012c865a
0x012c865c
0x012c8752
0x012c8756
0x00000000
0x00000000
0x012c875e
0x00000000
0x012c875e
0x012c8662
0x012c8662
0x012c8662
0x012c8666
0x00000000
0x012c8666
0x012c85b7
0x012c85b9
0x012c85bc
0x012c85bf
0x012c85cc
0x012c85d1
0x012c85d4
0x012c85db
0x012c85de
0x012c85e0
0x01319b5f
0x00000000
0x01319b5f
0x012c85e6
0x012c85ea
0x012c86c3
0x012c86c5
0x012c86c8
0x012c86ca
0x01319b16
0x00000000
0x01319b16
0x012c86d6
0x012c85f6
0x012c85f6
0x012c85f9
0x012c8602
0x012c8606
0x012c860a
0x012c860b
0x012c860e
0x012c8611
0x00000000
0x012c8611
0x012c85f3
0x00000000
0x012c85f3
0x012c8619
0x012c861e
0x012c861e
0x012c8621
0x012c8622
0x012c8623
0x012c8625
0x012c862c
0x00000000
0x012c873d
0x00000000
0x012c873d
0x012c8737
0x012c850f
0x012c8512
0x00000000
0x012c8512
0x00000000
0x012c84d6

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053284d47d644e0daeb3983c37c5ad77a447baf70a2b8b6d6102782ba40231ec
Instruction ID: 87eca738307911acf58949843a4f70de52e113aba3ad8574281a2f438070d39b
Opcode Fuzzy Hash: 053284d47d644e0daeb3983c37c5ad77a447baf70a2b8b6d6102782ba40231ec
Instruction Fuzzy Hash: DCB171B4E2020ADFDB29DF99C984AADFBB5FF44708F10822DE605AB345D770A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012BC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E012BC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x13ad360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E012C6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E012FB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x13a7b9c; // 0x0
					_t74 = L012D4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E012F9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L012D77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E012FF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E012F13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L012D77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E012F9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x012bc608
0x012bc615
0x012bc625
0x012bc62d
0x012bc635
0x012bc640
0x012bc680
0x012bc687
0x012bc688
0x012bc689
0x012bc694
0x012bc694
0x012bc642
0x012bc64a
0x012bc697
0x01327a25
0x01327a2b
0x01327a2e
0x01327a30
0x01327bea
0x01327bea
0x00000000
0x01327bea
0x01327a36
0x01327a43
0x01327a48
0x01327a4c
0x01327a4e
0x00000000
0x00000000
0x01327a58
0x01327a5a
0x01327a5b
0x01327a5c
0x01327a5d
0x01327a63
0x01327a64
0x01327a6a
0x01327a6c
0x01327a6e
0x013279cb
0x013279cb
0x013279ce
0x013279d0
0x01327a98
0x01327a9b
0x01327a9b
0x01327a9e
0x01327aa1
0x01327bbe
0x01327bbe
0x01327bc0
0x01327be0
0x01327be0
0x01327a01
0x01327a01
0x01327a05
0x01327a07
0x01327a15
0x01327a15
0x01327a1a
0x00000000
0x01327a1a
0x01327bc2
0x01327bc6
0x01327bc9
0x01327bcd
0x01327bcf
0x013279e6
0x013279e6
0x013279eb
0x013279eb
0x013279ef
0x013279f1
0x00000000
0x00000000
0x013279f3
0x013279f5
0x013279ff
0x013279ff
0x00000000
0x013279ff
0x013279f7
0x013279fd
0x00000000
0x00000000
0x00000000
0x013279fd
0x01327bd5
0x01327bd8
0x00000000
0x00000000
0x01327ba9
0x01327bac
0x01327bb0
0x01327bb1
0x01327bb1
0x01327bb6
0x00000000
0x01327bb6
0x01327aa7
0x01327aaa
0x00000000
0x00000000
0x01327ab2
0x01327ab3
0x01327ab5
0x01327aec
0x01327aef
0x01327b25
0x01327b28
0x01327b62
0x01327b64
0x01327b8f
0x01327b92
0x01327b96
0x01327b98
0x00000000
0x00000000
0x01327b9e
0x01327b9f
0x01327ba3
0x00000000
0x01327ba3
0x01327b66
0x01327b68
0x01327ae2
0x01327ae2
0x00000000
0x01327ae2
0x01327b6e
0x01327b72
0x01327b75
0x01327b81
0x01327b85
0x01327b87
0x00000000
0x00000000
0x01327b31
0x01327b34
0x01327b3c
0x01327b45
0x01327b46
0x01327b4f
0x01327b51
0x01327b57
0x01327b59
0x01327b59
0x00000000
0x01327b59
0x01327b77
0x00000000
0x01327b77
0x01327b2a
0x00000000
0x01327b2a
0x01327af1
0x01327af3
0x00000000
0x00000000
0x01327afb
0x01327afc
0x01327afe
0x00000000
0x00000000
0x01327b00
0x01327b03
0x00000000
0x00000000
0x01327b05
0x01327b09
0x01327b0d
0x01327b0f
0x00000000
0x00000000
0x01327b18
0x01327b1d
0x00000000
0x01327b1d
0x01327ab7
0x01327ab9
0x00000000
0x00000000
0x01327abf
0x01327ac1
0x00000000
0x00000000
0x01327ac3
0x01327ac6
0x00000000
0x00000000
0x01327ac8
0x01327acc
0x01327ad0
0x01327ad2
0x00000000
0x00000000
0x01327adb
0x00000000
0x01327adb
0x013279d6
0x013279d9
0x013279dc
0x01327a91
0x01327a94
0x00000000
0x01327a94
0x013279e2
0x00000000
0x013279e2
0x01327a74
0x01327a7a
0x00000000
0x00000000
0x01327a8a
0x01327a21
0x01327a21
0x00000000
0x01327a21
0x012bc650
0x012bc651
0x012bc656
0x012bc65c
0x012bc65d
0x012bc663
0x012bc664
0x012bc66a
0x012bc66e
0x013279c5
0x013279c7
0x00000000
0x013279c7
0x012bc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40aa5c896912682ff328419c148f8779ebba6fac3dbedcda5ac576aa30405245
Instruction ID: e992f5a4169e897ec27dab98e00bd4b45fa8538def522c209417152c908b8c3e
Opcode Fuzzy Hash: 40aa5c896912682ff328419c148f8779ebba6fac3dbedcda5ac576aa30405245
Instruction Fuzzy Hash: C48171756142158BDB26EE58C880F7BB7A8FBA4358F14486EEE459B341D330ED41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01336DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01336DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01336B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E012D7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E012F9AE0();
					_t87 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0133795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0133795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0133795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0133795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L012D4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01336B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01336B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01336B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01336B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E012D7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E012F9AE0();
								L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L012D2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L012D2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L012D2400( &_v52);
							}
							if(_v28 >= 0) {
								return L012D2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01336dd4
0x01336dde
0x01336de1
0x01336de3
0x01336de6
0x01336de9
0x01336dec
0x01336def
0x01336df2
0x01336df5
0x01336dfe
0x01336e04
0x01336e09
0x01336e0d
0x01336e18
0x01336e1b
0x01336e22
0x01336e2d
0x01336e30
0x01336e36
0x01336e42
0x01336e4d
0x01336e50
0x01336e55
0x01336e5c
0x01336e6e
0x01336e5e
0x01336e67
0x01336e67
0x01336e73
0x01336e74
0x01336e77
0x01336e7c
0x01336e7d
0x01336e8e
0x01336e93
0x01336e9c
0x01336ea8
0x01336eab
0x01336eac
0x01336eb3
0x01336ecd
0x01336edc
0x01336ee2
0x01336ee5
0x01336ef2
0x01336efb
0x01336f01
0x01336f06
0x01336f0b
0x01336f11
0x01336f1a
0x01336f22
0x01336f26
0x01336f26
0x01336f33
0x01336f41
0x01336f44
0x01336f47
0x01336f54
0x01336f65
0x01336f77
0x01336f7c
0x01336f82
0x01336f91
0x01336f99
0x01336fa3
0x01336fae
0x01336fae
0x01336fba
0x01336fbb
0x01336fbc
0x01336fc1
0x01336fc2
0x01336fd3
0x01336fd8
0x01336fd8
0x01336fdf
0x01336fe8
0x01336fee
0x01336fee
0x01336ff5
0x01336ffb
0x01336ffb
0x01337004
0x00000000
0x0133700a
0x01337004
0x01336eb3
0x01336e9c
0x01337015

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 0d38ea41ded693eb71bb0ce40c9e31b0ebb8190ee67ec9d248df219843160e98
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: EC718FB1A00209EFDB11DFA9C984AEEFBB9FF88714F104169E505E7250DB34EA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0134B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0134B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x13a7b9c; // 0x0
				_t124 = L012D4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E012F9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E012F95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E012F95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L012D77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E012F9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E012F95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x13a7b9c; // 0x0
									_t92 = L012D4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E012F9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E012BA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0134E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0134E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E012F95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0134b8d9
0x0134b8e4
0x00000000
0x0134b8e6
0x0134b8f3
0x0134b8f5
0x0134b8f5
0x0134b8f8
0x0134b920
0x0134b924
0x0134b936
0x0134b939
0x0134b93d
0x0134b948
0x0134b9a0
0x0134b9a0
0x0134b9a4
0x0134b9bf
0x0134b9c4
0x0134b9c6
0x0134b9cd
0x0134b9d1
0x0134bad4
0x0134bad8
0x0134bada
0x0134badc
0x0134badc
0x0134badf
0x0134bae0
0x0134bae2
0x0134bae4
0x0134baec
0x0134baee
0x0134baf0
0x0134baf0
0x0134baec
0x0134bafb
0x0134bafc
0x0134bafe
0x0134bb01
0x0134bb01
0x00000000
0x0134bb06
0x0134b9d7
0x0134b9db
0x0134b9db
0x0134b9de
0x0134b9de
0x0134b9e4
0x0134b9e7
0x0134b9ea
0x0134b9ec
0x0134b9ef
0x0134b9f3
0x0134ba1b
0x0134ba1b
0x0134ba23
0x0134ba24
0x0134ba27
0x0134ba2a
0x0134ba2b
0x0134ba2e
0x0134ba30
0x0134ba37
0x0134ba3f
0x0134ba9c
0x0134baa2
0x0134bb13
0x0134bb15
0x0134baae
0x0134baae
0x0134bab3
0x0134bab5
0x0134baba
0x0134bac8
0x0134bac8
0x0134baba
0x0134bacd
0x0134bacf
0x00000000
0x0134bacf
0x0134bb1a
0x00000000
0x0134bb1c
0x0134baa7
0x0134bb11
0x00000000
0x0134bb11
0x0134baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0134ba41
0x0134ba41
0x0134ba41
0x0134ba58
0x0134ba5d
0x0134ba62
0x00000000
0x00000000
0x0134ba64
0x0134ba67
0x0134ba68
0x0134ba69
0x0134ba6c
0x0134ba6f
0x0134ba71
0x0134ba78
0x0134ba80
0x00000000
0x00000000
0x0134ba90
0x0134ba90
0x0134ba97
0x00000000
0x0134ba97
0x0134b9f5
0x0134b9f7
0x0134b9f7
0x0134b9fa
0x0134ba03
0x0134ba07
0x0134ba0c
0x0134ba10
0x0134ba17
0x00000000
0x0134b9f7
0x0134b9a6
0x0134b9a8
0x0134b9af
0x0134b9b3
0x00000000
0x00000000
0x0134b9b9
0x00000000
0x0134b9b9
0x0134b94d
0x0134b98f
0x0134b995
0x0134b999
0x0134b960
0x0134b967
0x0134b968
0x0134b96a
0x00000000
0x0134b96a
0x0134b99b
0x0134b99e
0x00000000
0x00000000
0x00000000
0x0134b99e
0x0134b951
0x0134b954
0x0134b95a
0x0134b95e
0x0134b972
0x0134b979
0x0134b97d
0x0134b97f
0x0134b980
0x0134b982
0x0134b984
0x00000000
0x0134b984
0x00000000
0x0134b926
0x00000000
0x0134b926

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc81be5a49264cd8777f929cb1c414eb37259d2a0c0dc1627c35b0d28116868a
Instruction ID: 86653bfb2e01ee2d2b95b157630715430a56e352860a97a4eaef70ea282c0e89
Opcode Fuzzy Hash: dc81be5a49264cd8777f929cb1c414eb37259d2a0c0dc1627c35b0d28116868a
Instruction Fuzzy Hash: 0171F032200706AFEB32DF28C844F66FBE9EB44728F154928E655876A4DB75F944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012B52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E012CEEF0(0x13a79a0);
					_t104 =  *0x13a8210; // 0xff2d10
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x30000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E012CEB70(_t93, 0x13a79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E012F9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E012CEEF0(0x13a79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E012CEB70(0, 0x13a79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xff2d2802
								_t13 = _t104 + 0xc; // 0xff2d1d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E012EF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E012CEEF0(0x13a79a0);
									__eflags =  *0x13a8210 - _t104; // 0xff2d10
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x13a8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000ff2d
											_t95 =  *((intOrPtr*)( *_t37));
											E01334888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E012CEB70(_t95, 0x13a79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E012F95D0();
											L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E012F95D0();
											L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E012CEB70(_t93, 0x13a79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E012F95D0();
										L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E012F95D0();
										L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000ff2d
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xff2d2802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E012EF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x012b52a5
0x012b52ad
0x012b52b0
0x012b52b3
0x012b52b7
0x012b52ba
0x012b52bf
0x012b52c4
0x012b52cc
0x00000000
0x00000000
0x012b52ce
0x012b52d1
0x012b52d9
0x012b52dd
0x012b52e7
0x012b52f7
0x012b52f9
0x012b52fd
0x01310dcf
0x01310dd5
0x01310dd6
0x01310dd7
0x01310dd8
0x01310dd9
0x01310dde
0x01310ddf
0x01310de0
0x01310de1
0x01310de2
0x01310de2
0x01310de5
0x01310dea
0x01310dec
0x01310f60
0x01310f64
0x01310f70
0x01310f76
0x01310f79
0x01310f79
0x00000000
0x01310f64
0x01310df2
0x01310df7
0x01310e04
0x01310e04
0x01310e0d
0x01310e0d
0x01310e10
0x01310e1a
0x01310e1c
0x01310e4c
0x01310e52
0x01310e61
0x01310e67
0x01310e6b
0x01310e70
0x01310e76
0x01310ed7
0x01310edc
0x01310ee0
0x01310ee6
0x01310eea
0x01310eed
0x01310ef0
0x01310ef3
0x01310ef6
0x01310ef9
0x01310efb
0x01310efe
0x01310f01
0x01310f01
0x01310f0b
0x01310f12
0x01310f16
0x01310f18
0x01310f18
0x01310f1b
0x01310f2c
0x01310f31
0x01310f31
0x01310f35
0x01310f39
0x01310f3a
0x01310f3c
0x01310f3c
0x01310f3f
0x01310f50
0x01310f55
0x01310f55
0x01310f59
0x012b52eb
0x012b52f1
0x012b52f1
0x01310e7d
0x01310e84
0x01310e88
0x01310e8a
0x01310e8a
0x01310e8d
0x01310e9e
0x01310ea3
0x01310ea3
0x01310ea7
0x01310eaf
0x01310eb3
0x01310eb9
0x01310eb9
0x01310ebc
0x01310ecd
0x01310ecd
0x00000000
0x01310eb3
0x01310e1e
0x01310e21
0x01310e25
0x01310e2b
0x01310e2f
0x01310e30
0x01310e3a
0x01310e3f
0x01310e41
0x00000000
0x00000000
0x01310e47
0x00000000
0x01310e47
0x01310df9
0x01310dfe
0x00000000
0x00000000
0x00000000
0x01310dfe
0x012b5303
0x012b5307
0x00000000
0x012b5309
0x00000000
0x012b5309
0x012b5307
0x012b52e9
0x012b52e9
0x00000000
0x012b52e9
0x012b530e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b426dbc233dd4d9785f3a67dc087c976eab2ac79d361b7997f47e817f08363
Instruction ID: eef5b309bd19eafaf87f5a56b6694f8ba1d713bdc0f71eeb11e2d4381fcbb982
Opcode Fuzzy Hash: 59b426dbc233dd4d9785f3a67dc087c976eab2ac79d361b7997f47e817f08363
Instruction Fuzzy Hash: D6512130125742AFD725DF28C881B67BBE4FF50718F10091EF69587651E770E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012E2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x13a8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x13a8208; // 0x13a8207
				_t8 = _t57 + 0x13a8208; // 0x13a8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x13a8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x13a821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x13a6d5c; // 0x7eff0654
							_t72 =  *0x13a6d5c; // 0x7eff0654
							_t75 =  *0x13a6d5c; // 0x7eff0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x13a6d5c; // 0x7eff0654
							_t84 =  *0x13a6d5c; // 0x7eff0654
							_t87 =  *0x13a6d5c; // 0x7eff0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E012FF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x012e2ae4
0x012e2aec
0x012e2aef
0x012e2af4
0x012e2af7
0x012e2afd
0x012e2b92
0x012e2b92
0x012e2b97
0x012e2b9c
0x012e2b9c
0x012e2b03
0x012e2b06
0x012e2b09
0x012e2b09
0x012e2b0f
0x012e2b15
0x012e2b15
0x012e2b1b
0x012e2b1e
0x012e2b21
0x012e2b26
0x012e2b29
0x012e2b81
0x012e2b84
0x012e2c0e
0x012e2c15
0x012e2c24
0x012e2c24
0x012e2b8a
0x012e2b8a
0x012e2b8a
0x012e2b8a
0x012e2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x012e2b4a
0x012e2b4a
0x012e2b4d
0x012e2b53
0x00000000
0x00000000
0x012e2b55
0x012e2b58
0x012e2bb7
0x01325d1b
0x01325d37
0x01325d47
0x01325d53
0x012e2bbd
0x012e2bbd
0x012e2bbd
0x012e2bb7
0x012e2b5d
0x012e2c2f
0x01325d5b
0x01325d77
0x01325d87
0x01325d93
0x012e2c35
0x012e2c35
0x012e2c35
0x012e2c2f
0x012e2b65
0x012e2b9f
0x012e2ba2
0x012e2b67
0x012e2b67
0x012e2b69
0x012e2b6b
0x012e2b6e
0x012e2bc9
0x012e2bcc
0x012e2bcf
0x012e2bd4
0x012e2bd6
0x012e2bd6
0x012e2bdb
0x012e2c02
0x012e2c05
0x012e2c07
0x00000000
0x012e2c07
0x012e2be0
0x012e2c00
0x012e2c3f
0x012e2c3f
0x00000000
0x012e2c00
0x012e2be5
0x012e2be7
0x012e2bec
0x012e2bf4
0x012e2bf6
0x00000000
0x012e2bf6
0x012e2b70
0x012e2b76
0x012e2b2b
0x012e2b2b
0x012e2b2d
0x012e2b2f
0x012e2b32
0x012e2b35
0x012e2b3a
0x00000000
0x012e2b40
0x012e2b43
0x012e2b45
0x012e2b47
0x012e2b4a
0x012e2b4d
0x012e2b53
0x00000000
0x00000000
0x00000000
0x012e2b53
0x012e2b78
0x012e2b78
0x012e2b7b
0x012e2b7e
0x00000000
0x012e2b7e
0x012e2b76
0x012e2ba5
0x012e2ba5
0x012e2ba8
0x012e2bad
0x00000000
0x00000000
0x012e2baf
0x012e2baf
0x012e2bc2
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d50a040ae81c0a2861b9c23173b3343aed319043a9df1c079dd6e165a003ba1
Instruction ID: c9ca3590a077c34ecc560769768a5f3375e3f4b8742545526d824dc5d4a799ce
Opcode Fuzzy Hash: 1d50a040ae81c0a2861b9c23173b3343aed319043a9df1c079dd6e165a003ba1
Instruction Fuzzy Hash: 1451B376A20125CFCB14CF1CC895ABDB7F9FB88700B59845EE847AB355E730AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012DDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012DDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E012BCC50(E012B4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E012D7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01388ED6(_t102, _t98);
						}
						_t76 = _v44;
						E012D2280(_t58, _v44);
						E012DDD82(_v44, _t102, _t98);
						E012DB944(_t102, _v5);
						return E012CFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x13a8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x13a862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x13a8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x13a862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x137fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x012ddbe9
0x012ddbf2
0x012ddbf7
0x012ddbf9
0x012ddbfc
0x012ddc00
0x012ddc03
0x012ddc14
0x012ddd54
0x012ddd54
0x012ddd54
0x012ddc18
0x012ddc1d
0x012ddc1d
0x012ddc32
0x012ddc3b
0x012ddc3e
0x012ddc46
0x012ddd5b
0x012ddd62
0x012ddd64
0x012ddd67
0x012ddd69
0x012ddd6b
0x012ddd6e
0x012ddd70
0x012ddd73
0x012ddd73
0x00000000
0x012ddc4c
0x012ddc4e
0x01323ae3
0x01323ae8
0x01323aea
0x012ddce7
0x012ddce9
0x012ddcec
0x012ddcee
0x012ddcf0
0x012ddcf3
0x012ddcf5
0x01323af2
0x01323af5
0x01323af5
0x012ddd06
0x012ddd08
0x012ddd0b
0x012ddd12
0x01323b08
0x012ddd18
0x012ddd18
0x012ddd18
0x012ddd20
0x012ddd23
0x01323b16
0x01323b16
0x012ddd29
0x012ddd2d
0x012ddd36
0x012ddd40
0x012ddd51
0x012ddd51
0x012ddc54
0x012ddc59
0x012ddc59
0x012ddc5e
0x012ddc5e
0x012ddc63
0x012ddc66
0x012ddc6b
0x012ddc78
0x012ddc7b
0x012ddc81
0x012ddc81
0x012ddc83
0x012ddc89
0x00000000
0x00000000
0x012ddd7b
0x012ddd7b
0x012ddc8f
0x012ddc8f
0x012ddc92
0x012ddc99
0x012ddc9f
0x012ddca5
0x012ddcaa
0x012ddcaa
0x012ddcb3
0x012ddcb8
0x012ddcbb
0x012ddcc1
0x012ddccf
0x012ddcd2
0x012ddcd5
0x012ddcd7
0x012ddcda
0x012ddcdc
0x012ddcdc
0x012ddce2
0x012ddce4
0x00000000
0x012ddce4

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175f10ca130650a89dcc62859a44927e7d7aee04bcb46cb9b2a218bd0e4f15b5
Instruction ID: a3f3307d2c1eae70a16a554d56e180f175cdb314f66f50f7ad40c3d1e376e477
Opcode Fuzzy Hash: 175f10ca130650a89dcc62859a44927e7d7aee04bcb46cb9b2a218bd0e4f15b5
Instruction Fuzzy Hash: EB51AE72E10A1ADFCF14DFA8C480AAEFBF5BF48310F24815AD655A7384DB75A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012CEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012CEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E012B9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77cfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E012B2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x012cef4b
0x012cef4d
0x012cef57
0x012cf0bd
0x012cf0c2
0x012cf0d2
0x012cf0d2
0x012cf0c2
0x012cef5d
0x012cef5f
0x012cef67
0x012cef6a
0x012cef6d
0x012cef74
0x012cef7f
0x012cef82
0x012cef82
0x012cef86
0x012cef88
0x012cef8c
0x012cef8f
0x012cef8f
0x012cef8f
0x00000000
0x012cef91
0x012cef93
0x012cefc4
0x012cefc4
0x012cefc4
0x012cefca
0x012cefd0
0x012cf0a6
0x00000000
0x00000000
0x012cf0af
0x0131bb06
0x0131bb0a
0x012cf0b5
0x012cf0b5
0x012cf0b5
0x012cf0b5
0x00000000
0x012cefd6
0x012cefd9
0x012cf0de
0x012cf0e2
0x012cefdf
0x012cefdf
0x012cefdf
0x012cefe5
0x0131bafc
0x0131bafc
0x012cefe5
0x012cefeb
0x012cefed
0x012cf00f
0x012cf011
0x012cf01a
0x012cf01d
0x012cf021
0x012cf028
0x012cf029
0x012cf029
0x012cf02c
0x00000000
0x012cf02c
0x012ceff3
0x012ceff9
0x012cf0ea
0x012cf0ed
0x012cf0ef
0x00000000
0x012cf0ef
0x012cf003
0x0131bb12
0x012cf045
0x012cf049
0x012cf051
0x012cf09e
0x012cf0a0
0x012cf0a0
0x012cf09e
0x012cf053
0x012cf064
0x012cf064
0x012cf06b
0x0131bb1a
0x0131bb1a
0x012cf071
0x012cf071
0x012cf07d
0x012cf082
0x012cf08f
0x012cf08f
0x012cf009
0x012cf00d
0x00000000
0x012cf00d
0x012cefd0
0x012cef97
0x012cefa5
0x012cefaa
0x00000000
0x012cefac
0x012cefac
0x012cefac
0x00000000
0x012cefb2
0x012cf036
0x012cf03a
0x012cf040
0x012cf090
0x00000000
0x012cf092
0x012cf042
0x00000000
0x012cf042
0x012cefb7
0x012cefb9
0x012cefbc
0x012cefb0
0x012cefb0
0x00000000
0x012cefbe
0x012cefbe
0x012cefc1
0x00000000
0x012cefc1
0x012cefbc
0x012cefaa
0x012cef91

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 4c5f923165ca548d0050b998ea7b35ed1675b7e3484064bd988b3eb37184768e
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: D5510630A24246DFEB25CB68C1C17AEFFB2AF05B14F1482ACC74557286C375A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 0138740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0138740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0130D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E012FF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L012D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L012D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E012FF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L012D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0138740d
0x0138740d
0x01387412
0x01387413
0x01387416
0x01387418
0x0138741c
0x0138741f
0x01387422
0x01387422
0x01387428
0x0138742a
0x0138742a
0x01387451
0x01387432
0x0138744f
0x0138744f
0x00000000
0x01387434
0x01387438
0x01387443
0x01387517
0x01387517
0x0138751a
0x01387535
0x01387520
0x01387527
0x0138752c
0x01387531
0x01387533
0x00000000
0x01387533
0x00000000
0x01387531
0x0138754b
0x0138754f
0x0138755c
0x0138755c
0x0138755f
0x01387560
0x01387561
0x01387562
0x01387563
0x01387568
0x0138756a
0x0138756c
0x0138756d
0x0138756d
0x0138756f
0x01387572
0x01387574
0x01387577
0x0138757c
0x0138757f
0x00000000
0x01387551
0x01387551
0x01387551
0x01387553
0x01387553
0x01387449
0x01387449
0x0138744c
0x0138744c
0x00000000
0x0138744c
0x01387443
0x0138750e
0x01387514
0x01387514
0x01387455
0x01387469
0x0138746d
0x00000000
0x01387473
0x01387473
0x01387476
0x01387480
0x01387484
0x0138748e
0x01387493
0x01387493
0x01387496
0x01387499
0x013874a1
0x013874b1
0x013874b5
0x00000000
0x013874bb
0x013874c1
0x013874c1
0x013874c4
0x013874c5
0x013874c6
0x013874c7
0x013874c8
0x013874cd
0x00000000
0x013874d3
0x013874d3
0x013874d6
0x013874d8
0x013874db
0x013874dd
0x013874e0
0x013874e7
0x013874ee
0x013874ee
0x013874f4
0x013874f9
0x00000000
0x013874fb
0x013874fb
0x013874fd
0x01387500
0x01387503
0x01387505
0x01387505
0x013874f9
0x00000000
0x013874cd
0x013874b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 01c27d69b598e5108c44c5d43f306bf703a4db77f33d7cf3570d52e4f17f2ad9
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 6251AF71600646EFDB16DF18C480A56BBF6FF45308F24C0BAE9089F212E371E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012E2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012E2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x138ff00);
				E0130D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1291664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E012FE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1291668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E013351BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x129166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E012E2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E012C6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E012E2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E012CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E012E2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E012E2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E012E2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0130D0D1(_t62);
				goto L28;
			}

0x012e2990
0x012e2992
0x012e2997
0x012e29a3
0x012e29a6
0x012e29ab
0x012e29ad
0x012e29b2
0x01325c80
0x012e29b8
0x012e29b8
0x012e29bb
0x012e29c0
0x012e29c5
0x012e29c6
0x012e29c6
0x012e29cb
0x00000000
0x00000000
0x012e29cd
0x012e29d0
0x012e29d9
0x012e29db
0x012e29dd
0x012e2a7f
0x012e2a84
0x012e2a87
0x012e2a89
0x01325ca1
0x01325ca3
0x00000000
0x012e2a8f
0x012e2a8f
0x00000000
0x012e2a8f
0x00000000
0x012e29e3
0x012e29e3
0x012e29e3
0x00000000
0x012e29e3
0x012e29dd
0x00000000
0x012e29db
0x012e29e6
0x012e29e9
0x012e29eb
0x012e29ed
0x012e29f3
0x012e29f5
0x012e29f8
0x012e29fa
0x012e2a97
0x012e2a9a
0x012e2a9d
0x012e2add
0x00000000
0x012e2a9f
0x012e2aa2
0x012e2aa5
0x012e2aa8
0x012e2aab
0x01325cab
0x01325caf
0x01325cc5
0x01325cda
0x01325cdc
0x01325cdf
0x01325ce5
0x00000000
0x01325ceb
0x01325ced
0x01325cee
0x00000000
0x01325cee
0x01325cb1
0x01325cb4
0x01325cb9
0x01325cbb
0x00000000
0x01325cbd
0x01325cbd
0x00000000
0x01325cbd
0x01325cbb
0x012e2ab1
0x012e2ab1
0x012e2ac4
0x012e2ac6
0x012e2ac6
0x00000000
0x012e2ac6
0x012e2aab
0x00000000
0x012e2a00
0x012e2a09
0x012e2a0e
0x012e2a21
0x012e2a24
0x012e2a35
0x012e2a3a
0x012e2a3d
0x012e2a42
0x012e2a59
0x012e2a59
0x012e2a5c
0x012e2a5f
0x012e2a5f
0x012e29fa
0x012e29f3
0x012e2a64
0x012e2a64
0x012e2a6b
0x012e2a6b
0x012e2a6d
0x012e2a72
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9f5ba021f1e495c5729c1802942f88f90988b8190f0a6cd49db145023dbdb1
Instruction ID: e0d72a81e152fe33ad1242bdda02ae82fd06801d4e56407ebabc855f277f3d23
Opcode Fuzzy Hash: dd9f5ba021f1e495c5729c1802942f88f90988b8190f0a6cd49db145023dbdb1
Instruction Fuzzy Hash: B651993191021ADFDF26DF99C884AEEBBB9BF08354F508119E902AB320D7718D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012E4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012E4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x13ad360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E012FFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x13a7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E012FB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L012D4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E012BCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E012FB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E012FF380(_t67 + 0xc, 0x1295138, 0x10) == 0) {
								 *0x13a60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E012E4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E012E4E70(0x13a86b0, 0x12e5690, 0, 0) != 0) {
					_t46 = E012BCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x012e4d3b
0x012e4d4d
0x012e4d53
0x012e4d58
0x012e4d65
0x012e4d6c
0x012e4d71
0x012e4d77
0x012e4d7f
0x012e4d8c
0x012e4d8e
0x012e4dad
0x012e4db0
0x012e4db7
0x012e4db8
0x012e4db9
0x012e4dba
0x012e4dbb
0x012e4dc1
0x012e4dc8
0x012e4dcc
0x012e4dd5
0x012e4dde
0x012e4ddf
0x012e4de0
0x012e4de1
0x012e4de6
0x012e4de7
0x012e4de9
0x012e4df3
0x00000000
0x00000000
0x01326c7c
0x01326c8a
0x01326c8a
0x01326c9d
0x01326ca7
0x01326cac
0x01326cb2
0x01326cb9
0x00000000
0x01326cbf
0x01326cbf
0x00000000
0x01326cbf
0x01326cb9
0x012e4dfb
0x01326ccf
0x01326cd3
0x012e4e32
0x012e4e39
0x01326ce0
0x01326cf2
0x01326cf2
0x01326ce0
0x012e4e3f
0x012e4e41
0x012e4e51
0x012e4e51
0x012e4e03
0x012e4e03
0x012e4e09
0x012e4e0f
0x012e4e57
0x00000000
0x00000000
0x012e4e1b
0x012e4e30
0x012e4e5b
0x012e4e5b
0x00000000
0x012e4e30
0x012e4e11
0x012e4e11
0x012e4e16
0x00000000
0x012e4e16
0x012e4e01
0x00000000
0x012e4e01
0x012e4da5
0x01326c6b
0x00000000
0x012e4dab
0x012e4dab
0x00000000
0x012e4dab

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ebf22d0d2da1e0ee905d1e3de36445cdfb47883c487f3420cbc732a78aadd0
Instruction ID: 2f80a3d52f49fa8d0586213e605f9a8ce3d05f995c253d8f393ce224135c2c1a
Opcode Fuzzy Hash: 96ebf22d0d2da1e0ee905d1e3de36445cdfb47883c487f3420cbc732a78aadd0
Instruction Fuzzy Hash: 3941E4B1A603589FEB32EF18CC85F66B7E9EB14714F4440AAEA05D7281D7B4DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012E4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012E4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x13ad360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E012BCC50(_t86);
					L11:
					return E012FB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x13a8504
				E012D2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E012FFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E012FB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L012D4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E012BCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x13a8504
								E012CFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E012E4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x012e4bad
0x012e4bbf
0x012e4bc2
0x012e4bc6
0x012e4bcd
0x012e4bd9
0x013267fe
0x01326800
0x012e4ccc
0x012e4ccd
0x012e4cb7
0x012e4cc9
0x012e4cc9
0x012e4bdf
0x012e4be5
0x00000000
0x00000000
0x012e4beb
0x012e4bef
0x00000000
0x00000000
0x012e4bf5
0x012e4bf9
0x012e4c06
0x012e4c0b
0x012e4c17
0x012e4c1c
0x012e4c1f
0x012e4c25
0x012e4c33
0x012e4c3d
0x012e4c40
0x012e4c43
0x012e4c47
0x012e4c4d
0x012e4c53
0x012e4c54
0x012e4c55
0x012e4c56
0x012e4c5b
0x012e4c5c
0x012e4c63
0x012e4c6b
0x00000000
0x00000000
0x01326776
0x01326784
0x01326784
0x0132679f
0x013267a7
0x013267af
0x013267ce
0x00000000
0x013267b1
0x013267b7
0x013267b8
0x013267c1
0x013267d3
0x013267d9
0x013267dd
0x012e4c94
0x012e4c94
0x012e4c98
0x012e4c9c
0x012e4ca3
0x013267f4
0x013267f4
0x012e4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x012e4cb5
0x012e4c79
0x012e4c7e
0x012e4c89
0x012e4c8b
0x012e4c8f
0x012e4c8f
0x00000000
0x012e4c89
0x013267c3
0x00000000
0x013267c3
0x013267af
0x012e4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700c59d51889c17efc91234924ce7d6731bc920d7cbbfde0af6a5e8b698eb159
Instruction ID: 7b399e61714659451d736478f8af745772a4a0d248623ab07b033a2edc256c5a
Opcode Fuzzy Hash: 700c59d51889c17efc91234924ce7d6731bc920d7cbbfde0af6a5e8b698eb159
Instruction Fuzzy Hash: 4B41C671A102699BDB21EF68C945FEEB7F4EF45700F4104A9EA08EB241D774DE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012C8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x13ad360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E012FB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E012CE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1291180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E012E1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E012F3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E012C8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x012c8a0a
0x012c8a1c
0x012c8a23
0x012c8a2e
0x012c8a30
0x012c8a36
0x012c8a3c
0x012c8a3e
0x012c8a4a
0x012c8a52
0x012c8a9c
0x012c8aae
0x012c8a58
0x012c8a5e
0x012c8a6a
0x012c8a6f
0x012c8a75
0x012c8a7d
0x012c8a85
0x012c8a86
0x012c8a89
0x012c8a93
0x012c8a99
0x012c8a9b
0x00000000
0x012c8aaf
0x012c8abe
0x012c8ac3
0x012c8acb
0x012c8ad7
0x012c8ae0
0x012c8af1
0x00000000
0x012c8af1
0x012c8acd
0x012c8ad5
0x012c8afb
0x012c8afd
0x012c8aff
0x012c8b07
0x012c8b22
0x012c8b24
0x012c8b2a
0x012c8b2e
0x012c8b3f
0x012c8b78
0x012c8b41
0x012c8b52
0x012c8b54
0x012c8b5c
0x012c8b74
0x012c8b74
0x012c8b5c
0x012c8b3f
0x012c8b5e
0x012c8b61
0x012c8b64
0x012c8b64
0x012c8b6c
0x012c8b6c
0x012c8b11
0x01319cd5
0x01319cd5
0x012c8b17
0x012c8b1a
0x012c8b1a
0x00000000
0x012c8ad5
0x012c8a89

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eda6a4f2e72898e1d03b885d084ea7a354f45ac4a993de26808a2b1b0eadf17
Instruction ID: dbe3a5f0c2dfc6f913f3d80ec8bba2513cb70df038c54050b0ce23883acbd7e6
Opcode Fuzzy Hash: 7eda6a4f2e72898e1d03b885d084ea7a354f45ac4a993de26808a2b1b0eadf17
Instruction Fuzzy Hash: 1C4152B1A502299BDB24DF59CC88AB9B7F4FB54700F1086EDDA19D7252E7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013369A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E013369A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x13ad360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L012C6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01336BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E012F9980() >= 0) {
							E012D2280(_t56, 0x13a8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x13a8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x13a8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E012BB6F0(0x129c338, 0x129c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E012F9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E012F95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E012CFFB0(_t68, _t77, 0x13a8778);
				}
				_pop(_t78);
				return E012FB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x013369b5
0x013369be
0x013369c3
0x013369c9
0x013369cc
0x013369d1
0x013369d3
0x013369de
0x013369e1
0x013369ea
0x013369f6
0x013369fe
0x01336a13
0x01336a14
0x01336a15
0x01336a16
0x01336a1e
0x01336a26
0x01336a31
0x01336a36
0x01336a37
0x01336a40
0x01336a49
0x01336a4a
0x01336a53
0x01336a59
0x01336a5d
0x01336a5e
0x01336a64
0x01336a67
0x01336a6a
0x01336a6d
0x01336a70
0x01336a77
0x01336a7d
0x01336a86
0x01336a89
0x01336a9c
0x01336a9f
0x01336aa2
0x01336aa5
0x01336aaf
0x01336ab1
0x01336ab8
0x01336ab9
0x01336abb
0x01336abe
0x01336ac5
0x01336ac5
0x01336aaf
0x01336a40
0x01336a26
0x013369fe
0x01336ace
0x01336ad0
0x01336ad3
0x01336ad8
0x01336adf
0x01336adf
0x01336ae8
0x01336aef
0x01336aef
0x01336af9
0x01336b06

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacb16e1f7bd290938c7713a07739cf4e6ff4f564664fdfe00d670d2e1625500
Instruction ID: b472c761007186e32e9aa25875eed02c5df94b054d69fd3de02a08133d961765
Opcode Fuzzy Hash: cacb16e1f7bd290938c7713a07739cf4e6ff4f564664fdfe00d670d2e1625500
Instruction Fuzzy Hash: 1C418EB1D00209AFEB14CFA9D941BFEBBF8EF48718F04812AE914A7240DB709906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 012B5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012B5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E012B52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012F95D0();
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E012CEB70(_t54, 0x13a79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E012F95D0();
								L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E012CEB70(_t54, 0x13a79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E012FF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E012CEB70(_t54, 0x13a79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012F95D0();
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x012b5220
0x012b5224
0x01310d13
0x01310d16
0x01310d19
0x012b522a
0x012b522a
0x012b522d
0x012b522d
0x012b5231
0x012b5235
0x012b5239
0x01310d5c
0x01310d62
0x00000000
0x00000000
0x01310d6a
0x01310d7b
0x01310d7f
0x01310d81
0x01310d84
0x01310d95
0x01310d95
0x01310d6c
0x01310d71
0x01310d71
0x01310d9a
0x00000000
0x012b524a
0x012b524a
0x012b5250
0x01310d24
0x01310d35
0x01310d39
0x01310d3b
0x01310d3e
0x01310d50
0x01310d50
0x01310d26
0x01310d2b
0x01310d2b
0x00000000
0x01310d55
0x012b5256
0x012b525b
0x012b5265
0x01310da7
0x012b526b
0x012b526e
0x012b5272
0x01310db1
0x01310db4
0x01310dc5
0x01310dc5
0x012b5272
0x012b5278
0x012b527e
0x012b528a
0x012b528c
0x012b528d
0x00000000
0x012b5280
0x012b5282
0x012b5288
0x012b529f
0x012b5292
0x00000000
0x012b5292
0x00000000
0x012b5288
0x012b527e

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81f05bbd59d06e85b2cfb6a4456645ed4b91bd354e66a6870315a0566fd19e2
Instruction ID: 900186a9006f8380152072838fb16d83037c12baf98939add2c92221531bc4eb
Opcode Fuzzy Hash: a81f05bbd59d06e85b2cfb6a4456645ed4b91bd354e66a6870315a0566fd19e2
Instruction Fuzzy Hash: 07312831272601DBD72A9B2CC881B7ABB65FF10768F51462EF6154B694E770E840C690

Uniqueness

Uniqueness Score: -1.00%

Function 012F3D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E012C7B60(0, _t61, 0x12911c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E012C7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						_t12 =  &(_t61[2]); // 0x5a495824
						 *((short*)( *_t12 + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L012D4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x012f3d4c
0x012f3d50
0x012f3d55
0x012f3d5e
0x0132e79a
0x00000000
0x0132e79a
0x012f3d68
0x0132e789
0x012f3d9d
0x012f3da3
0x012f3daf
0x012f3db5
0x012f3dbc
0x012f3dc4
0x012f3dc9
0x012f3dce
0x0132e7ae
0x0132e7ae
0x012f3dd9
0x012f3dde
0x012f3de2
0x012f3de7
0x012f3e0d
0x012f3e13
0x012f3e16
0x012f3e1e
0x012f3e25
0x012f3e28
0x00000000
0x00000000
0x012f3e2a
0x012f3e2f
0x012f3e37
0x012f3e37
0x00000000
0x012f3e37
0x012f3e31
0x00000000
0x012f3e31
0x012f3e20
0x012f3e20
0x012f3e35
0x00000000
0x012f3de9
0x012f3de9
0x012f3de9
0x012f3dee
0x012f3dfd
0x012f3dff
0x012f3e02
0x012f3e05
0x012f3e05
0x00000000
0x012f3df0
0x012f3de7
0x0132e78f
0x0132e794
0x012f3d79
0x012f3d84
0x012f3d89
0x012f3d8e
0x00000000
0x0132e7a4
0x012f3d96
0x012f3d9a
0x00000000
0x012f3d9a
0x00000000
0x0132e794
0x012f3d6e
0x012f3d73
0x00000000
0x0132e7b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d76ec93737209b8cdd4448faeb9a9cefb7d351c0358311c7b015905c8ccd5d3
Instruction ID: d3454d0a474783f09ba61ea4899180e07ced693b36622d62ef00dff4dc60c26c
Opcode Fuzzy Hash: 3d76ec93737209b8cdd4448faeb9a9cefb7d351c0358311c7b015905c8ccd5d3
Instruction Fuzzy Hash: E931AD71A21626DBD729DF2DC842A7ABBE5FF45710B05807EEA45CB390E670D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 012EA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012EA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1390220);
				E0130D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x13a7b9c; // 0x0
				_t55 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0130D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x13a7b10 =  *0x13a7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x13a536c; // 0x77e05368
					if( *_t51 != 0x13a5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x13a5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x13a536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E012EA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x012ea61c
0x012ea61e
0x012ea623
0x012ea628
0x012ea62b
0x012ea62d
0x012ea648
0x012ea64a
0x012ea64f
0x01329b44
0x012ea6ec
0x012ea6f1
0x012ea6f1
0x012ea655
0x012ea657
0x012ea65a
0x012ea65d
0x012ea662
0x012ea663
0x012ea667
0x012ea668
0x012ea66d
0x012ea706
0x012ea706
0x01329bda
0x01329be6
0x01329beb
0x00000000
0x01329beb
0x012ea679
0x01329b7a
0x00000000
0x01329b7a
0x012ea683
0x012ea6f4
0x012ea6f7
0x012ea6f9
0x012ea6fd
0x012ea6a0
0x012ea6a0
0x012ea6ad
0x012ea6af
0x012ea6b4
0x01329ba7
0x01329bac
0x00000000
0x00000000
0x01329bc6
0x01329bce
0x01329bd1
0x01329bd3
0x01329bd3
0x00000000
0x01329bd1
0x012ea6bd
0x012ea6c3
0x012ea6c6
0x012ea6d2
0x012ea701
0x012ea704
0x00000000
0x012ea704
0x012ea6d4
0x012ea6d6
0x012ea6d9
0x012ea6db
0x012ea6e1
0x012ea6e6
0x012ea6e8
0x012ea6e8
0x012ea6ea
0x00000000
0x012ea6ea
0x012ea688
0x012ea692
0x012ea694
0x012ea699
0x00000000
0x00000000
0x012ea69d
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86319f3a02391d5a2e2164cc5741b19b3c19a3531233d005697831a35354c75
Instruction ID: 71af395764eb32ea2bb04181e77f8a61ed75918b2e31bd7d4aaf5c9f3c9ef1ba
Opcode Fuzzy Hash: a86319f3a02391d5a2e2164cc5741b19b3c19a3531233d005697831a35354c75
Instruction Fuzzy Hash: C5418CB5A50215DFDF19CF58C890BADBBF1FB89308F5580A9E905AB384C774A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012DC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E012DC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E012D7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01388D34(_v8, _t80);
					}
					E012D2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E012CFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01388833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E012CFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E012FB180();
						if(_a4 != 0) {
							E012D2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E012DBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E012DBB2D(_t16, _t15);
						E012DB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E012CFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E012CFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E012CFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x012dc18d
0x012dc18f
0x012dc191
0x012dc19b
0x012dc1a0
0x012dc1d4
0x012dc1de
0x01322d6e
0x012dc1e4
0x012dc1e4
0x012dc1e4
0x012dc1ec
0x01322d7d
0x01322d7d
0x012dc1f3
0x012dc1ff
0x01322d88
0x01322d8d
0x01322d94
0x01322d94
0x01322d9f
0x01322da4
0x01322dab
0x01322db0
0x01322db2
0x01322db3
0x01322db4
0x01322dbc
0x01322dc3
0x01322dc3
0x012dc205
0x012dc205
0x012dc208
0x012dc20e
0x012dc211
0x012dc216
0x012dc219
0x012dc21f
0x012dc222
0x012dc22c
0x012dc234
0x012dc23a
0x012dc23f
0x012dc245
0x012dc24b
0x012dc251
0x012dc25a
0x012dc276
0x012dc27d
0x012dc27d
0x012dc25c
0x012dc25c
0x00000000
0x012dc25e
0x012dc1a4
0x012dc1aa
0x012dc1b3
0x012dc265
0x012dc26c
0x012dc26c
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 79330595fd8314dcc611888129a8d029da03af5ee72c10737e4e980494954feb
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: B5314872A21587BFD705EBB8C890BFAFB55BF52204F04415ED51C47241DB74AA1ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01337016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01337016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x13ad360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01336B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01336B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E012D7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E012F9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E012FB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L012D4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01337016
0x0133701e
0x0133702b
0x01337033
0x01337037
0x0133703c
0x0133703e
0x01337041
0x01337045
0x0133704a
0x01337050
0x01337055
0x0133705a
0x01337062
0x01337062
0x0133705a
0x01337064
0x01337064
0x01337067
0x01337071
0x01337096
0x0133709b
0x013370a2
0x013370a6
0x013370a7
0x013370ad
0x013370b3
0x013370b6
0x013370bb
0x013370c3
0x013370c3
0x013370c6
0x013370cd
0x013370dd
0x013370e0
0x013370e2
0x013370e2
0x013370ee
0x01337101
0x013370f0
0x013370f9
0x013370f9
0x0133710a
0x0133710e
0x01337112
0x01337117
0x01337118
0x01337118
0x013370bb
0x0133711d
0x01337123
0x01337131
0x01337131
0x01337136
0x0133713d
0x0133713e
0x0133713f
0x0133714a
0x0133714a
0x01337084
0x01337088
0x00000000
0x0133708e
0x0133708e
0x01337092
0x00000000
0x01337092

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc988d0f863ac2eba6304fdc4bae9f205dab37b96edcdc117a5a0ca065f331e
Instruction ID: 58f244cf1c689a0ef0051c2985e290235b4fec4f0453c7c110d561ab3149087b
Opcode Fuzzy Hash: acc988d0f863ac2eba6304fdc4bae9f205dab37b96edcdc117a5a0ca065f331e
Instruction Fuzzy Hash: 8031C4B26047519FD321DF2CC940A6AB7E9FFC8704F044A2DF99597690E734E904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 012F6DE6 Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012F6DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E012F6EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E012E6A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x012f6de6
0x012f6dee
0x012f6df1
0x012f6df4
0x012f6dfd
0x013305d3
0x013305d3
0x013305e4
0x013305f9
0x013305f9
0x013305fe
0x012f6e96
0x012f6e9c
0x012f6e9c
0x012f6e03
0x012f6e09
0x012f6e0c
0x012f6e12
0x012f6e15
0x012f6e1b
0x013305a1
0x012f6eb1
0x012f6eb1
0x012f6eb1
0x012f6e21
0x012f6e2a
0x012f6e9f
0x012f6eab
0x00000000
0x00000000
0x00000000
0x012f6eab
0x012f6e2c
0x012f6e34
0x00000000
0x012f6e3d
0x012f6e3d
0x012f6e42
0x012f6e4d
0x013305ac
0x013305b2
0x013305b2
0x00000000
0x013305ac
0x012f6e56
0x012f6e59
0x012f6e5d
0x012f6e5f
0x012f6e64
0x012f6e94
0x012f6e94
0x00000000
0x012f6e94
0x012f6e6a
0x012f6e6d
0x013305ba
0x013305bd
0x013305ca
0x013305cc
0x012f6e91
0x012f6e91
0x00000000
0x012f6e91
0x013305c0
0x00000000
0x013305c0
0x012f6e7e
0x012f6e7e
0x012f6e80
0x012f6e86
0x00000000
0x00000000
0x012f6eba
0x012f6eba
0x012f6e88
0x012f6e8b
0x012f6e8f
0x00000000
0x012f6e8f

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: a69b8e6b3aaeec1048c0e2480bf395eeaf68d03fa0ca749abed913cb40982311
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 0A31A232614206DFD729CF28C090AAAF7A2FFC5314F14C96DE6598B241DB71F802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012EA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012EA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x13a7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x13a7b10 = 8;
					 *0x13a7b14 = 0x13a7b0c;
					 *0x13a7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E012EA990(0x13a7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L012EA840(__edx, __ecx, __ecx, _t52, 0x13a7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x13a7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x13a7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x13a7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L012D4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x13a7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E012FF3E0(_t50,  *0x13a7b14, _t8 >> 3);
						_t28 =  *0x13a7b14; // 0x0
						__eflags = _t28 - 0x13a7b0c;
						if(_t28 != 0x13a7b0c) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x13a7b14 = _t50;
						_t48 = _v12;
						 *0x13a7b10 = _t9;
						goto L6;
					}
					 *0x13a7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x012ea713
0x012ea714
0x012ea717
0x012ea71d
0x012ea720
0x012ea722
0x012ea727
0x012ea74a
0x012ea754
0x012ea75e
0x012ea768
0x012ea76a
0x012ea773
0x012ea78b
0x012ea790
0x012ea792
0x012ea741
0x012ea741
0x012ea743
0x012ea749
0x012ea749
0x012ea732
0x012ea73a
0x012ea797
0x012ea79d
0x012ea7a3
0x012ea7a9
0x012ea7b6
0x012ea7bc
0x012ea7ca
0x012ea7e0
0x012ea7e2
0x012ea7e4
0x01329bf2
0x00000000
0x01329bf2
0x012ea7ed
0x012ea7f2
0x012ea800
0x012ea805
0x012ea80d
0x012ea812
0x01329c08
0x01329c08
0x012ea818
0x012ea81b
0x012ea821
0x012ea824
0x00000000
0x012ea824
0x012ea7ae
0x00000000
0x012ea7ae
0x012ea73c
0x012ea73e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a1ddbb16d3855dc1b312d671f67a8c59f842ba33d6fb8589582c44ae54d926
Instruction ID: ec890a900bc3b98870f80f832933ba2f687d363ec6005baeaecf28965d0537d0
Opcode Fuzzy Hash: f4a1ddbb16d3855dc1b312d671f67a8c59f842ba33d6fb8589582c44ae54d926
Instruction Fuzzy Hash: BE31EDF2660201AFD725CF08D8C4F69BBFDFB84710F94095AE20687344D3B2A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012E61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012E61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E012E5E50(0x12967cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01389D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E012BF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x012e61b3
0x012e61b5
0x012e61bd
0x012e61c3
0x012e61c7
0x012e61d2
0x012e61ff
0x012e61ff
0x012e6201
0x012e6207
0x012e6207
0x012e61d4
0x012e61d9
0x00000000
0x00000000
0x012e61df
0x012e61e2
0x00000000
0x00000000
0x012e61e6
0x012e61e8
0x012e61ee
0x012e61ee
0x012e61f9
0x0132762f
0x01327632
0x01327635
0x01327639
0x01327640
0x0132766e
0x01327675
0x00000000
0x00000000
0x01327681
0x01327689
0x0132768d
0x01327691
0x01327695
0x01327699
0x013276af
0x013276b5
0x013276b7
0x013276b7
0x013276d7
0x013276dc
0x00000000
0x013276dc
0x013276a2
0x013276a9
0x01327651
0x01327653
0x01327653
0x01327656
0x01327656
0x00000000
0x01327656
0x01327644
0x01327646
0x01327648
0x01327648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78968b02aa9fd72d32071c209e9a6d89fdb1598d38f001aea6d0f71481874c96
Instruction ID: 9aec42b555b322a61cf2e05b132a8b104b02369cb8132e215c4ef7b67bdd7af3
Opcode Fuzzy Hash: 78968b02aa9fd72d32071c209e9a6d89fdb1598d38f001aea6d0f71481874c96
Instruction Fuzzy Hash: 9631AF716153118FE360DF1DC804B26BBE4FFA8B14F44496DEA989B351E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012BAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012BAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x13ad360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x13a7b9c; // 0x0
					_t53 = L012D4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E012FB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E012FF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L012C6C59(_t53, _t51, _t58) != 0) {
							_t28 = E012E5E50(0x129c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E012EB230(_v32, _v28, 0x129c2d8, 1,  &_v24);
								_t28 = E012BF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x012baa25
0x012baa29
0x012baa2d
0x012baa30
0x012baa37
0x012baa3c
0x01314458
0x01314458
0x01314472
0x01314474
0x01314476
0x012baa64
0x012baa74
0x0131447c
0x01314483
0x01314492
0x012baa52
0x012baa54
0x012baa5e
0x013144a8
0x013144ad
0x013144af
0x013144b6
0x013144b6
0x013144b9
0x013144bc
0x013144cd
0x013144d3
0x013144d6
0x013144e1
0x013144e1
0x013144e6
0x013144e8
0x013144fb
0x013144fb
0x013144e8
0x00000000
0x012baa5e
0x01314476
0x012baa42
0x012baa46
0x012baa48
0x012baa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af529c7d901e1af0605808e7da41b71d11bb77ad1dcc57b36f73822733e3286
Instruction ID: ff6a0d803d50f177e6e5aeab3282f277c8771c2e5c6c1c5ba6c69ab508d7faca
Opcode Fuzzy Hash: 9af529c7d901e1af0605808e7da41b71d11bb77ad1dcc57b36f73822733e3286
Instruction Fuzzy Hash: 1D31D572A2021AABDF159F68CD81ABFB7B8EF04700F414469F901EB244EB749911DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012F8EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012F8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x13ad360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E012E4E70(0x13a86e4, 0x12f9490, 0, 0);
					if( *0x13a53e8 > 5 && E012F8F33(0x13a53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x13a53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x13a53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x129bc46;
						_t48 = E01337B9C(0x13a53e8, 0x129bc46, _t67, 0x13a53e8, _t70,  &_v140);
					}
				}
				return E012FB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x012f8ec7
0x012f8ed9
0x012f8edc
0x012f8ee6
0x012f8ee9
0x012f8eee
0x012f8efc
0x012f8f08
0x01331349
0x01331353
0x0133135d
0x01331366
0x0133136f
0x01331375
0x0133137c
0x01331385
0x01331390
0x01331391
0x0133139c
0x0133139d
0x013313a6
0x013313ac
0x013313b2
0x013313b5
0x013313bc
0x013313bf
0x013313c2
0x013313c5
0x013313c8
0x013313cb
0x013313ce
0x013313d1
0x013313d4
0x013313d7
0x013313da
0x013313dd
0x013313e0
0x013313e3
0x013313e6
0x013313e9
0x013313f6
0x01331400
0x01331400
0x012f8f08
0x012f8f32

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a755ceff4ffc214ec40a8e25ed8f56217a6d5d279696515931879633bef650dd
Instruction ID: 589a4a098a0a556dce74c9078d9007c2c9799fd5b1ff10d23bf628d67aabb0aa
Opcode Fuzzy Hash: a755ceff4ffc214ec40a8e25ed8f56217a6d5d279696515931879633bef650dd
Instruction Fuzzy Hash: 7A4181B1D102189FDB24CFAAD981AADFBF4FB48714F9041AEE609A7240D7745A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 012EE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012EE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E012F9670() < 0) {
					E0130DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x13a7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L012D4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M012EE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x012ee730
0x012ee736
0x012ee738
0x012ee73d
0x012ee73e
0x012ee740
0x012ee749
0x012ee765
0x012ee76a
0x012ee76b
0x012ee76c
0x012ee76d
0x012ee76e
0x012ee76f
0x012ee775
0x012ee777
0x012ee77e
0x0132b675
0x012ee784
0x012ee784
0x012ee789
0x012ee7a8
0x012ee7ac
0x012ee807
0x012ee7ae
0x012ee7ae
0x012ee7b1
0x012ee7b4
0x012ee7b9
0x012ee7c0
0x012ee7c4
0x012ee7ca
0x012ee7cc
0x00000000
0x012ee7d3
0x012ee7d6
0x00000000
0x00000000
0x012ee7ff
0x012ee802
0x00000000
0x00000000
0x012ee7f9
0x012ee7fc
0x00000000
0x00000000
0x012ee7f3
0x012ee7f6
0x00000000
0x00000000
0x012ee7ed
0x012ee7f0
0x00000000
0x00000000
0x012ee7e7
0x012ee7ea
0x00000000
0x00000000
0x0132b685
0x0132b688
0x00000000
0x00000000
0x0132b682
0x00000000
0x00000000
0x012ee7cc
0x012ee7d9
0x012ee7dc
0x012ee7de
0x012ee7de
0x012ee7ac
0x012ee7e4
0x012ee74b
0x012ee751
0x012ee759
0x012ee761
0x012ee761

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2553efe07343e6e24e93005d81965a39772fe6b1cec2220d7f80b6d6a7a95a2f
Instruction ID: 3352808ae3f7776ed176fb72496a368670e05953655521cb9ffed9d3b859a7de
Opcode Fuzzy Hash: 2553efe07343e6e24e93005d81965a39772fe6b1cec2220d7f80b6d6a7a95a2f
Instruction Fuzzy Hash: 9B31B175A6424AEFD704DF58D845F9ABBE8FB09314F15826AFA04CB341D671EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012EBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E012EBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x13a6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E012D2280(0xd, 0x623f1a0);
				_t41 =  *0x13a60f8; // 0x0
				if(_t41 != 0) {
					 *0x13a60f8 =  *_t41;
					 *0x13a60fc =  *0x13a60fc + 0xffff;
				}
				E012CFFB0(_t41, 0x800, 0x623f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x13a60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L012D4620(0x13a6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x13a6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x012ebc36
0x012ebc42
0x012ebc45
0x012ebc4a
0x012ebd35
0x00000000
0x00000000
0x00000000
0x00000000
0x012ebc50
0x012ebc50
0x012ebc58
0x012ebc5a
0x012ebc60
0x00000000
0x00000000
0x0132a4f2
0x0132a4f6
0x00000000
0x00000000
0x00000000
0x0132a4fc
0x012ebc79
0x012ebc7e
0x012ebc86
0x012ebd16
0x012ebd20
0x012ebd20
0x012ebc8d
0x012ebc94
0x012ebcbd
0x012ebcca
0x012ebccb
0x012ebccc
0x012ebccd
0x012ebcce
0x012ebcd4
0x012ebcea
0x012ebcee
0x012ebcf2
0x012ebd00
0x012ebd04
0x00000000
0x012ebc96
0x012ebcab
0x012ebcaf
0x012ebd2c
0x012ebd2c
0x012ebd09
0x00000000
0x012ebd09
0x012ebcb1
0x012ebcb5
0x012ebcbb
0x00000000
0x00000000
0x00000000
0x012ebcbb

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cf96381cc9f58b325a64e1104527f49e74d28133e5669e25ee63043f5dae16
Instruction ID: dd795e5367fd0004c8dd1cf4fdfa1166930105ed49b91b0d261aa4d6917a12ab
Opcode Fuzzy Hash: 51cf96381cc9f58b325a64e1104527f49e74d28133e5669e25ee63043f5dae16
Instruction Fuzzy Hash: C5312276A246169FCB11DF58C4C17A677B8FF18310F890078EE09DB205E775D9458BC0

Uniqueness

Uniqueness Score: -1.00%

Function 012B9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012B9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x138f6e8);
				E0130D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E013888F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0130D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x13a86c0; // 0xff07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x13a86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E012D2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E013888F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E012FAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x13ab1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x13a84c0;
										if(_t69 >=  *0x13a84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01389063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E012B922A(_t82);
							_t53 = E012D7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01388B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x13a86c0; // 0xff07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x13a86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x13a86bc;
										_t72 = 0x13a86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E012B9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x13a86c4;
									_t72 = 0x13a86c0;
									L18:
									E012E9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x012b9100
0x012b9100
0x012b9100
0x012b9100
0x012b9102
0x012b9107
0x012b910c
0x012b9110
0x012b9115
0x012b9136
0x012b9143
0x013137e4
0x013137e4
0x012b9149
0x012b914e
0x012b914e
0x012b9117
0x012b911d
0x00000000
0x00000000
0x012b911f
0x012b9125
0x00000000
0x012b9151
0x012b9158
0x012b915d
0x012b9161
0x012b9168
0x01313715
0x00000000
0x012b916e
0x012b916e
0x012b9175
0x012b9177
0x012b917e
0x012b917f
0x012b9182
0x012b9182
0x012b9187
0x012b9187
0x012b918a
0x012b918d
0x012b918f
0x012b9192
0x012b9195
0x012b9198
0x012b9198
0x012b9198
0x012b919a
0x00000000
0x00000000
0x0131371f
0x01313721
0x01313727
0x0131372f
0x01313733
0x01313735
0x01313738
0x0131373b
0x0131373d
0x01313740
0x00000000
0x00000000
0x01313746
0x01313749
0x00000000
0x00000000
0x0131374f
0x01313751
0x00000000
0x00000000
0x01313757
0x01313759
0x0131375c
0x0131375c
0x0131375e
0x0131375e
0x01313761
0x01313764
0x00000000
0x00000000
0x01313766
0x01313768
0x013137a3
0x013137a3
0x013137a5
0x013137a7
0x013137ad
0x013137b0
0x013137b2
0x013137bc
0x013137c2
0x013137c2
0x013137b2
0x012b9187
0x012b9187
0x012b918a
0x012b918d
0x012b918f
0x012b9192
0x012b9195
0x00000000
0x012b9195
0x00000000
0x012b9187
0x0131376a
0x0131376a
0x0131376c
0x0131376c
0x0131376f
0x01313775
0x00000000
0x00000000
0x01313777
0x01313779
0x00000000
0x00000000
0x01313782
0x01313787
0x01313789
0x01313790
0x01313790
0x0131378b
0x0131378b
0x0131378b
0x01313792
0x01313795
0x01313795
0x01313798
0x01313798
0x0131379b
0x0131379b
0x012b91a3
0x012b91a9
0x012b91b0
0x012b91b4
0x012b91b4
0x012b91bb
0x012b91c0
0x012b91c5
0x012b91c7
0x013137da
0x012b91cd
0x012b91cd
0x012b91cd
0x012b91d2
0x012b91d5
0x012b9239
0x012b9239
0x012b91d7
0x012b91db
0x012b91e1
0x012b91e7
0x012b91fd
0x012b9203
0x012b921e
0x012b9223
0x00000000
0x012b9223
0x012b9205
0x012b9208
0x012b920c
0x012b9214
0x012b9214
0x012b91e9
0x012b91e9
0x012b91ee
0x012b91f3
0x012b91f3
0x012b91f3
0x012b91e7
0x00000000
0x012b91db
0x012b9187
0x012b9168

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432829a2503a4b7681bf96ebecb7a462181b4349aef9b718f6fcf383c6dae111
Instruction ID: 5ed03db44431deb8b981304182ba6eca82a5fc51eb20b3fa3f8298b307703326
Opcode Fuzzy Hash: 432829a2503a4b7681bf96ebecb7a462181b4349aef9b718f6fcf383c6dae111
Instruction Fuzzy Hash: 01319EB5A21246DFEF26DB6CC4C87ECBBB1BB493A8F588189C70467251C370A9C0DB51

Uniqueness

Uniqueness Score: -1.00%

Function 012E1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E012E1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E012DF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L012D4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E012DF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x012e1dc2
0x012e1dc5
0x012e1dc7
0x012e1dcc
0x012e1dce
0x012e1dd6
0x012e1ddf
0x012e1de0
0x012e1de1
0x012e1de5
0x012e1de8
0x012e1def
0x012e1df0
0x012e1df6
0x012e1df7
0x012e1dfe
0x012e1e1a
0x00000000
0x00000000
0x012e1e0b
0x012e1e12
0x012e1e12
0x012e1e00
0x012e1e00
0x012e1e05
0x012e1e1e
0x012e1e23
0x0132570f
0x01325713
0x00000000
0x00000000
0x01325719
0x01325719
0x012e1e2c
0x012e1e2d
0x012e1e2e
0x012e1e2f
0x012e1e31
0x012e1e32
0x012e1e35
0x012e1e3d
0x01325723
0x0132573d
0x0132573d
0x00000000
0x01325723
0x012e1e49
0x012e1e4e
0x012e1e4e
0x012e1e09
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: cd02a1cbdcc60c48cab2a513de9804a638aefbfd795c894fa4828ea54d3c0ae0
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: F721E03262011AFFD720CF99CC84EABBBBDEF85640F594065FA05E7250D230AE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01336C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01336C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E012D7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x13a7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L012D4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E012FF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E012D7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E012F9AE0();
						_t23 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01336c0a
0x01336c0f
0x01336c10
0x01336c13
0x01336c15
0x01336c19
0x01336c1c
0x01336c21
0x01336c28
0x01336c3a
0x01336c2a
0x01336c33
0x01336c33
0x01336c3f
0x01336c48
0x01336c4d
0x01336c60
0x01336c65
0x01336c69
0x01336c73
0x01336c79
0x01336c7f
0x01336c86
0x01336c90
0x01336c94
0x01336ca6
0x01336cb2
0x01336cbd
0x01336cbd
0x01336cc3
0x01336cc7
0x01336ccb
0x01336cd0
0x01336cd1
0x01336ce2
0x01336ce2
0x01336c69
0x01336ced

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9084334e283c2e81c240f2c1faefd811b8bb4125ba8151b58e705bee95c5f746
Instruction ID: 5ed5dd0fc4d04c776fb45f35a2e3f48c966f17f542dec900e9ac59ad3f168d5b
Opcode Fuzzy Hash: 9084334e283c2e81c240f2c1faefd811b8bb4125ba8151b58e705bee95c5f746
Instruction Fuzzy Hash: A1219CB2A10645BFDB15DB68D880F2AB7A8FF48704F140069F904C7790D638ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 012F90AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012F90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0130D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E012EE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L012D4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E012FF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E012EA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x012f90af
0x012f90b8
0x012f90bb
0x012f90bf
0x012f90c2
0x012f90c2
0x012f90c8
0x012f90cb
0x012f90cd
0x013314d7
0x013314eb
0x013314eb
0x00000000
0x013314eb
0x013314db
0x013314e6
0x00000000
0x013314f2
0x013314e8
0x00000000
0x013314e8
0x012f90d8
0x012f90da
0x012f90dd
0x012f90e5
0x00000000
0x012f9139
0x012f90fa
0x012f90fe
0x012f9142
0x00000000
0x012f9142
0x012f9104
0x012f9107
0x012f910b
0x012f9110
0x012f9118
0x012f9147
0x012f9148
0x012f914f
0x012f9150
0x012f9151
0x012f9152
0x012f9156
0x012f915d
0x012f9160
0x012f9168
0x012f916c
0x012f91bc
0x012f91be
0x00000000
0x012f91be
0x012f916e
0x012f9173
0x012f9176
0x00000000
0x00000000
0x012f917c
0x012f9180
0x012f91b5
0x00000000
0x012f91b5
0x012f9182
0x012f9185
0x012f9189
0x00000000
0x00000000
0x012f918e
0x012f9190
0x012f9198
0x00000000
0x00000000
0x012f91a0
0x00000000
0x012f91ad
0x012f91ad
0x012f91b0
0x012f91b1
0x00000000
0x012f9185
0x012f911a
0x012f911c
0x012f911f
0x012f9125
0x012f9127
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2f2874dc9a495948b155c10bcb05cd9c97fb2c7a711692731a79d20f9f44f8da
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: B3217C71A10205EFDB21DF59C984FAAFBF8EB54314F15887EFA49A7211D270A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012E3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012E3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x13a84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x13a84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x13a84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E012FAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E012FFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x13a84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x13a84c4; // 0x0
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x012e3b89
0x012e3b96
0x012e3ba1
0x012e3bab
0x012e3bb5
0x012e3bb9
0x01326298
0x012e3bbf
0x012e3bc2
0x012e3bc3
0x012e3bc9
0x012e3bca
0x012e3bcc
0x012e3bcd
0x012e3bd4
0x012e3bd6
0x012e3bdb
0x012e3bea
0x012e3bf7
0x012e3bfb
0x012e3bff
0x012e3c09
0x012e3c0a
0x012e3c0b
0x012e3c0f
0x012e3c14
0x012e3c18
0x012e3c18
0x012e3bfb
0x012e3c1b
0x012e3c30
0x012e3c30
0x012e3c3d

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb41da6fac5f1e14e9e8e488c8803bcbf44a5ccecfeaa3a5b1e13d412ba81e3
Instruction ID: 8e4752de4f165ca0a2c550b20cd316e0121450fbb6e3b04645d5c14c0d26062a
Opcode Fuzzy Hash: 5eb41da6fac5f1e14e9e8e488c8803bcbf44a5ccecfeaa3a5b1e13d412ba81e3
Instruction Fuzzy Hash: 9721D1B2A10109AFC710DF58CD85F6ABBBDFB44309F2500A8EA09AB251D371ED15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01336CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01336CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E012D7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E012D7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1295c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E012EF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E012EF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01337016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L012D2400( &_v52);
								}
								_t21 = L012D2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01336cfb
0x01336d00
0x01336d02
0x01336d06
0x01336d0a
0x01336d0e
0x01336d19
0x01336d2b
0x01336d1b
0x01336d24
0x01336d24
0x01336d33
0x01336d39
0x01336d46
0x01336d4f
0x01336d61
0x01336d51
0x01336d5a
0x01336d5a
0x01336d69
0x01336d6b
0x01336d6d
0x01336d6f
0x01336d6f
0x01336d74
0x01336d79
0x01336d7a
0x01336d7f
0x01336d82
0x01336d88
0x01336d89
0x01336d90
0x01336d94
0x01336da7
0x01336db1
0x01336db1
0x01336dbb
0x01336dbb
0x01336d90
0x01336d69
0x01336d46
0x01336dc6

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20df7f734c78c1270878409cc118ad01d8d795b148644c3a65388b1a4847fff
Instruction ID: d0f76aeca764865586b46b088ff82822f08888d129c01dbffc6f022e9b1c851a
Opcode Fuzzy Hash: c20df7f734c78c1270878409cc118ad01d8d795b148644c3a65388b1a4847fff
Instruction Fuzzy Hash: 5221F2B2500285AFD711EF2CC948B6BBBECEFD1648F040556FA80C7251E734CA48C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 0138070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0138070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E013807DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0137AFDE( &_v8,  &_v12);
					E01381293(_t38, _v28, _t60);
					if(E012D7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E013714FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0138071b
0x01380724
0x01380734
0x01380738
0x0138074b
0x0138074b
0x01380753
0x01380753
0x01380759
0x0138075d
0x01380774
0x01380779
0x0138077d
0x01380789
0x01380795
0x013807a7
0x01380797
0x013807a0
0x013807a0
0x013807af
0x013807c4
0x013807cd
0x013807cd
0x013807af
0x013807dc

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 9e226cc9bd6f43d03277e1b25a0bf89958932900b7df820e9b9bef87cdc61dd5
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 372104362043049FD719EF2CC880B6ABBA5EFD4354F048569FD959B385D734D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01337794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01337794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x13a7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E012FF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E012D7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E012F9AE0();
					_t24 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01337799
0x0133779a
0x0133779b
0x013377a3
0x013377ab
0x013377ae
0x013377b1
0x013377b1
0x013377bf
0x013377c4
0x013377c8
0x013377ce
0x013377d4
0x013377e0
0x013377e0
0x013377d6
0x013377d6
0x013377de
0x00000000
0x00000000
0x013377de
0x013377e5
0x013377f0
0x013377f3
0x013377f6
0x013377fd
0x01337800
0x0133780c
0x01337818
0x0133782b
0x0133781a
0x01337823
0x01337823
0x01337830
0x01337831
0x01337838
0x0133783d
0x0133783e
0x0133784f
0x0133784f
0x0133785a

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e38e738410f465e477c62de28b515cc44663abab9f45fc54469f9dfaa8561f
Instruction ID: 9aac767ecee7a5fc446d36488b36cc4234b678fa3a9107ba8efe384694efac1a
Opcode Fuzzy Hash: 84e38e738410f465e477c62de28b515cc44663abab9f45fc54469f9dfaa8561f
Instruction Fuzzy Hash: A321A1B2510644AFC725DF69D880E6BBBACEF88340F10456DF60AC7750D634E900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 012DAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012DAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E012D7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E012D7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E012D7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E012D7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01337794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x012dae78
0x012dae7c
0x012dae7e
0x012dae81
0x012dae86
0x012dae8d
0x01322691
0x012dae93
0x012dae93
0x012dae93
0x012dae98
0x012dae9d
0x013226a2
0x013226b4
0x013226a4
0x013226ad
0x013226ad
0x013226b9
0x00000000
0x013226bb
0x00000000
0x013226bb
0x012daea3
0x012daea3
0x012daea3
0x012daeaa
0x013226c0
0x013226c9
0x013226c9
0x012daeb3
0x013226d4
0x013226e1
0x00000000
0x00000000
0x013226e7
0x013226ee
0x013226f0
0x013226f9
0x013226f9
0x01322702
0x01322708
0x01322708
0x0132270b
0x0132270f
0x01322711
0x01322711
0x01322725
0x01322725
0x00000000
0x012daeb9
0x012daeb9
0x012daebf
0x012daebf
0x012daeb3

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: da8a3efb9f4455633e1e52d789b4526e98986d8df03fc6a9d6d40c7cb5d26e0e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 0F21F6726156919FE726AB2DCD44F3677E8EF45758F0900B0ED048B792D7B8DC40C690

Uniqueness

Uniqueness Score: -1.00%

Function 012EFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012EFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E012C76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x012efd9b
0x012efda0
0x012efda1
0x012efdab
0x012efdad
0x012efdb0
0x012efdb8
0x012efe0f
0x012efde6
0x012efde9
0x012efdec
0x0132c0c0
0x012efdfe
0x012efe06
0x012efe06
0x0132c0c8
0x012efe2d
0x012efe2d
0x00000000
0x012efe2d
0x0132c0d1
0x0132c0e0
0x0132c0e5
0x0132c0e5
0x0132c0e8
0x00000000
0x0132c0e8
0x012efdf4
0x00000000
0x00000000
0x012efdf6
0x012efdfa
0x012efe1a
0x012efe1f
0x012efe1f
0x012efdfc
0x00000000
0x012efdfc
0x012efdcc
0x012efdd0
0x012efe26
0x00000000
0x012efe26
0x012efdd8
0x012efddb
0x012efddd
0x012efde0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 5008a4dd9b448cd3e735b9c14a44c673de7a091de280b19c0ad6dae7e6d724c3
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: BB21A972A20A41DFD735CF0EC644A66FBE9EB94A10F65816EEA4987B11D731EC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012EB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E012EB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E012D2280(_t12, 0x13a8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E012F00C2(0x13a8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x012eb395
0x012eb3a2
0x012eb3a5
0x012eb3aa
0x012eb3b2
0x012eb3ba
0x012eb3bd
0x012eb3c0
0x012eb3c4
0x012eb3c9
0x0132a3e9
0x0132a3ed
0x0132a3f0
0x0132a3ff
0x0132a403
0x0132a409
0x00000000
0x00000000
0x0132a40b
0x0132a40b
0x0132a40f
0x0132a415
0x0132a423
0x0132a423
0x0132a415
0x012eb3d1
0x012eb3e8
0x012eb3e8
0x012eb3d9

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea03c6d71fb80b50bed6af8c5ea2047c37310aacea972e346b757a17951abb69
Instruction ID: 54bd44b582ea8852f910b8a81fe8c1054a858f292aea495366384eca13c6fa6d
Opcode Fuzzy Hash: ea03c6d71fb80b50bed6af8c5ea2047c37310aacea972e346b757a17951abb69
Instruction Fuzzy Hash: 521148377211219BCB199A188E82A6BB3A6EBC5335B69412DEE1687790CA319C06C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 012B9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012B9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x138f708);
				E0130D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E012F95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E012F95D0();
				_t33 =  *0x13a84c4; // 0x0
				L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x13a84c4; // 0x0
				L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x13a84c4; // 0x0
				E012D2280(L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x13a86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E012F95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E012F95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E012B9325();
					_t50 =  *0x13a84c4; // 0x0
					return E0130D0D1(L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x012b9240
0x012b9242
0x012b9247
0x012b924c
0x012b924e
0x012b9255
0x012b9257
0x012b925a
0x012b925f
0x012b925f
0x012b9266
0x012b9271
0x012b9276
0x012b9279
0x012b927e
0x012b9295
0x012b929a
0x012b92b1
0x012b92b6
0x012b92d7
0x012b92dc
0x012b92e0
0x012b92e6
0x012b92e8
0x012b92ee
0x012b9332
0x012b9333
0x012b9337
0x012b9338
0x012b933a
0x012b933a
0x012b933d
0x012b9342
0x012b9342
0x012b9345
0x012b9349
0x012b934e
0x012b9352
0x012b9357
0x012b92f4
0x012b92f4
0x012b92f6
0x012b92f9
0x012b9300
0x012b9306
0x012b9324
0x012b9324

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f83dac62026d287cce96728233bdea4dd0239348b81fc5af1742094ae2c44b49
Instruction ID: 6c5e404baa2754735a17dc641f6d5096a853757fb3af5427482fb5d0b403b424
Opcode Fuzzy Hash: f83dac62026d287cce96728233bdea4dd0239348b81fc5af1742094ae2c44b49
Instruction Fuzzy Hash: FA21B071061602DFC722EF68CA44F65B7F9FF18308F4145ACE249976A1C734E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01344257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01344257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x13908d0);
				E0130D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E013441E8(__ebx, __edi, __ecx, _t39);
				E012CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x13a87e4;
					_t18 =  *0x13a87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x13a5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x13a87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x13a87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L012B7055(_t31 + 0xfffffff8);
								_t24 =  *0x13a87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x13a87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x13a5cd0;
				if( *0x13a5cd0 <= 0) {
					L012B7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x13a87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x13a87e8 = _t30;
						 *0x13a87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0130D0D1(L01344320());
			}

0x01344257
0x01344257
0x01344257
0x01344259
0x0134425e
0x01344263
0x01344265
0x01344273
0x01344278
0x0134427c
0x0134427f
0x01344281
0x01344287
0x013442d7
0x013442d7
0x013442da
0x0134428d
0x0134428d
0x0134428f
0x01344292
0x01344297
0x0134429c
0x013442a0
0x013442a6
0x013442a8
0x013442ae
0x013442b3
0x00000000
0x013442ba
0x013442ba
0x013442bf
0x013442c5
0x013442ca
0x013442cf
0x013442d0
0x00000000
0x013442d0
0x013442b3
0x00000000
0x013442a6
0x0134429c
0x013442dc
0x013442dc
0x013442e3
0x01344309
0x013442e5
0x013442e5
0x013442e8
0x013442ee
0x013442f0
0x00000000
0x013442f2
0x013442f2
0x013442f4
0x013442f7
0x013442f9
0x01344300
0x01344300
0x013442f0
0x0134430e
0x0134431f

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac492edab2b02910ca77ee5d29dd72fa7b8fa985a34393e048ff6277331aeded
Instruction ID: 9fa8e8065cecb4cd6ed061c6d4db4f3de7ea507c5d9ee76989de330c0e500161
Opcode Fuzzy Hash: ac492edab2b02910ca77ee5d29dd72fa7b8fa985a34393e048ff6277331aeded
Instruction Fuzzy Hash: 04214AB0A01601DFCB25DF68D040B64BBF5FF85359FA482AEC1598B299DB32E4A1CB41

Uniqueness

Uniqueness Score: -1.00%

Function 012E2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E012E2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x13a848c != 0) {
					L012DFAD0(0x13a8610);
					if( *0x13a848c == 0) {
						E012DFA00(0x13a8610, _t19, _t27, 0x13a8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E012E2581(0x13a8610, 0x12950a0, _t26, _t27, _t28);
						E012DFA00(0x13a8610, 0x12950a0, _t27, 0x13a8610);
					}
				} else {
					L1:
					_t11 =  *0x13a8614; // 0x0
					if(_t11 == 0) {
						_t11 = E012F4886(0x1291088, 1, 0x13a8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E012E2581(0x13a8610, (_t11 << 4) + 0x1295070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x012e23b0
0x012e23b6
0x012e2409
0x012e2415
0x01325ae9
0x00000000
0x012e241b
0x012e241b
0x012e241d
0x012e2427
0x012e242e
0x012e2430
0x012e2430
0x012e23b8
0x012e23b8
0x012e23b8
0x012e23bf
0x012e23fc
0x012e23fc
0x012e23c1
0x012e23c3
0x012e23d0
0x012e23d8
0x012e23d8
0x012e23dc
0x012e23de
0x012e23e1
0x012e23e1
0x012e23ec

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4db3c107b6c08b687ba8b557bd26633f6cb63d6fcfb28cf51c612eb5f9f5d0
Instruction ID: 49ffe383566cb20344173a972ff1a90b2fc34dd3b56459ae5b798ffe188473f1
Opcode Fuzzy Hash: ab4db3c107b6c08b687ba8b557bd26633f6cb63d6fcfb28cf51c612eb5f9f5d0
Instruction Fuzzy Hash: 2A116B32724351A7E730A72DEC49F25B7CCFB60721F98446AF703A7250C5B0D8018B54

Uniqueness

Uniqueness Score: -1.00%

Function 013346A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E013346A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E012FF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E012ED268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L012D77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x013346b7
0x013346ba
0x013346c5
0x013346c8
0x013346d0
0x013346d4
0x013346e6
0x013346e9
0x013346f4
0x013346ff
0x01334705
0x01334706
0x0133470c
0x01334713
0x0133471b
0x01334723
0x01334725
0x013346d6
0x013346d9
0x013346db
0x013346db
0x01334732

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 799be2b7eaa6b7ff762e9ff59b2ca4d7920642e6c86d90fe57d6c47882d40a5d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5711CE72904208BBCB069F6CD9809BEBBB9EF95314F1080AAF9848B351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 012F37F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012F37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E012D2280(_t6, 0x13a8550);
				}
				_t29 = E012F387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E012CFFB0(0x13a8550, _t27, 0x13a8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x012f37fa
0x012f37fc
0x012f3805
0x012f3808
0x012f3808
0x012f3814
0x012f3818
0x012f3846
0x012f3848
0x012f384b
0x012f384b
0x012f3852
0x00000000
0x012f3854
0x012f3856
0x00000000
0x00000000
0x012f3863
0x00000000
0x012f3863
0x012f381a
0x012f381a
0x012f381f
0x012f386e
0x012f386e
0x012f3871
0x012f3873
0x012f3873
0x012f3868
0x00000000
0x012f3868
0x012f3821
0x012f3826
0x00000000
0x00000000
0x012f3828
0x012f382a
0x012f3841
0x00000000
0x012f3841

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c035c9ae5c5a9412cacaf032e4a252ec3ccd5b5f26e52485b638f7c0e152946
Instruction ID: 8888133cf64352ab93af714632adbefc436bf7ebc04978465c84bb05f58d1a98
Opcode Fuzzy Hash: 1c035c9ae5c5a9412cacaf032e4a252ec3ccd5b5f26e52485b638f7c0e152946
Instruction Fuzzy Hash: 5F0184B29216129BC337CA1DD940A26FBA6FF85A60F15407DEB458B315D738DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012E002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E012D7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E012D7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E012D7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E012D7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x012e0032
0x012e0037
0x012e0043
0x01324b3a
0x012e0049
0x012e0049
0x012e0049
0x012e004e
0x012e0053
0x01324b48
0x01324b5a
0x01324b4a
0x01324b53
0x01324b53
0x01324b5f
0x00000000
0x01324b61
0x00000000
0x01324b61
0x012e0059
0x012e0059
0x012e0060
0x01324b6f
0x01324b6f
0x012e0069
0x01324b83
0x00000000
0x00000000
0x01324b90
0x01324b9b
0x01324b9b
0x01324ba4
0x00000000
0x00000000
0x01324baa
0x00000000
0x012e006f
0x012e006f
0x00000000
0x012e006f
0x012e0069

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 781df78d008b8f075e1299741f6cc606962a491f81e0e53a9cdb6231a7d7350e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F21108323216A28FE723A76CC548B353FD4AF4175CF0900A0EE4497A92D3ACD842C254

Uniqueness

Uniqueness Score: -1.00%

Function 012C766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012C766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E012EF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E012EF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L012D4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x012c7672
0x012c767f
0x012c7689
0x012c76de
0x012c76de
0x012c768b
0x012c7691
0x012c7693
0x012c7697
0x00000000
0x012c7699
0x012c76a8
0x00000000
0x012c76aa
0x012c76ad
0x012c76b1
0x00000000
0x012c76b3
0x012c76b3
0x012c76b5
0x012c76ba
0x012c76bc
0x012c76bc
0x012c76c0
0x00000000
0x012c76c2
0x012c76ce
0x012c76ce
0x012c76c0
0x012c76b1
0x012c76a8
0x012c7697
0x012c76d9

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 79e5c402e46826fc5fe5fae79e15a4ec59c1f1b832f7561a4afda3fe1db598c2
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 9B018D32720119AFD7109E5FCD45E577BADEB55B60B340628BB09CB250DA30DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0134C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0134C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E012F9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E012F95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E012F95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E012F95D0();
				return L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0134c458
0x0134c45d
0x0134c466
0x0134c468
0x0134c469
0x0134c46a
0x0134c46b
0x0134c46e
0x0134c46f
0x0134c471
0x0134c476
0x0134c476
0x0134c47c
0x0134c47e
0x0134c480
0x0134c480
0x0134c483
0x0134c484
0x0134c486
0x0134c488
0x0134c48f
0x0134c491
0x0134c493
0x0134c493
0x0134c48f
0x0134c498
0x0134c49e
0x0134c4ad
0x0134c4ad
0x0134c4b2
0x0134c4b4
0x0134c4cd

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: bf44830583f39ca63ef0a5316462295d4de49110aab186d0e8b86d4f763e01ec
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 50019671141506BFEB15AF69CD84E72FB6DFF54358F014529F21452660C721ACA0CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012B9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x13a85ec;
				E012D2280(_t48, 0x13a85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E012CFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x13a538c; // 0x77e06828
					if( *_t84 != 0x13a5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x138f6e8);
						E0130D0E8(0x13a85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E013888F5(_t80, _t85, 0x13a5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x13a86c0; // 0xff07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x13a86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E012D2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E013888F5(0x13a85ec, _t85, 0x13a5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E012FAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x13ab1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x13a84c0;
																			if(_t82 >=  *0x13a84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01389063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E012B922A(_t99);
										_t64 = E012D7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01388B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x13a86c0; // 0xff07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x13a86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x13a86bc;
													_t87 = 0x13a86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E012B9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x13a86c4;
												_t87 = 0x13a86c0;
												L27:
												E012E9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0130D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x13a5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x13a538c = _t51;
						goto L6;
					}
				}
			}

0x012b9082
0x012b9083
0x012b9084
0x012b9085
0x012b9087
0x012b9096
0x012b9098
0x012b9098
0x012b909e
0x012b90a8
0x012b90e7
0x012b90e7
0x012b90aa
0x012b90b0
0x012b90b7
0x012b90bd
0x012b90dd
0x012b90e6
0x012b90bf
0x012b90bf
0x012b90c7
0x012b90cf
0x012b90f1
0x012b90f2
0x012b90f4
0x012b90f5
0x012b90f6
0x012b90f7
0x012b90f8
0x012b90f9
0x012b90fa
0x012b90fb
0x012b90fc
0x012b90fd
0x012b90fe
0x012b90ff
0x012b9100
0x012b9102
0x012b9107
0x012b910c
0x012b9110
0x012b9113
0x012b9115
0x012b9136
0x012b913f
0x012b9143
0x013137e4
0x013137e4
0x012b9117
0x012b9117
0x012b911d
0x00000000
0x012b911f
0x012b911f
0x012b9125
0x00000000
0x012b9127
0x012b912d
0x012b9130
0x012b9134
0x012b9158
0x012b915d
0x012b9161
0x012b9168
0x01313715
0x012b916e
0x012b916e
0x012b9175
0x012b9177
0x012b917e
0x012b917f
0x012b9182
0x012b9182
0x012b9187
0x012b9187
0x012b918a
0x012b918d
0x012b918f
0x012b9192
0x012b9195
0x012b9198
0x012b9198
0x012b9198
0x012b919a
0x00000000
0x00000000
0x0131371f
0x01313721
0x01313727
0x0131372f
0x01313733
0x01313735
0x01313738
0x0131373b
0x0131373d
0x01313740
0x00000000
0x01313746
0x01313746
0x01313749
0x00000000
0x0131374f
0x0131374f
0x01313751
0x01313757
0x01313759
0x0131375c
0x0131375c
0x0131375e
0x0131375e
0x01313761
0x01313764
0x00000000
0x00000000
0x01313766
0x01313768
0x013137a3
0x013137a3
0x013137a5
0x013137a7
0x013137ad
0x013137b0
0x013137b2
0x013137bc
0x013137c2
0x013137c2
0x013137b2
0x012b9187
0x012b9187
0x012b918a
0x012b918d
0x012b918f
0x012b9192
0x012b9195
0x00000000
0x012b9195
0x00000000
0x0131376a
0x0131376a
0x0131376a
0x0131376c
0x0131376c
0x0131376f
0x01313775
0x00000000
0x00000000
0x01313777
0x01313779
0x01313782
0x01313787
0x01313789
0x01313790
0x01313790
0x0131378b
0x0131378b
0x0131378b
0x01313792
0x01313795
0x00000000
0x01313795
0x00000000
0x01313779
0x01313798
0x00000000
0x01313798
0x00000000
0x01313768
0x0131379b
0x0131379b
0x01313751
0x01313749
0x00000000
0x01313740
0x012b91a0
0x012b91a3
0x012b91a9
0x012b91b0
0x00000000
0x012b91b0
0x012b9187
0x012b91b4
0x012b91b4
0x012b91bb
0x012b91c0
0x012b91c5
0x012b91c7
0x013137da
0x012b91cd
0x012b91cd
0x012b91cd
0x012b91d2
0x012b91d5
0x012b9239
0x012b9239
0x012b91d7
0x012b91db
0x012b91e1
0x012b91e7
0x012b91fd
0x012b9203
0x012b921e
0x012b9223
0x00000000
0x012b9205
0x012b9205
0x012b9208
0x012b920c
0x012b9214
0x012b9214
0x012b920c
0x012b91e9
0x012b91e9
0x012b91ee
0x012b91f3
0x012b91f3
0x012b91f3
0x012b91e7
0x00000000
0x00000000
0x00000000
0x012b9134
0x012b9125
0x012b911d
0x012b914e
0x012b90d1
0x012b90d1
0x012b90d3
0x012b90d6
0x012b90d8
0x00000000
0x012b90d8
0x012b90cf

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2decbf1f7a2d939fe64d581483f6f05887aac24f318099da9430cef35263d37d
Instruction ID: 625cd262b930ec0fe2b62e254e4fe54392a1e7ca996e2217f0aaa26d04a4d755
Opcode Fuzzy Hash: 2decbf1f7a2d939fe64d581483f6f05887aac24f318099da9430cef35263d37d
Instruction Fuzzy Hash: 5D01F4B2921601CFC7258F08D880B21BBA9EF81368F214466E7018B692C370DC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01384015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01384015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E012D2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E012D2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x13a86ac);
					E012BF900(0x13a86d4, _t28);
					E012CFFB0(0x13a86ac, _t28, 0x13a86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E012CFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0138401a
0x0138401e
0x01384023
0x01384028
0x01384029
0x0138402b
0x0138402f
0x01384043
0x01384046
0x01384051
0x01384057
0x0138405f
0x01384062
0x01384067
0x0138406f
0x0138407c
0x0138407c
0x0138408c
0x0138408c
0x01384097

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03db005c956915a1789228e2014dfe98837a0bb6959938c08f5218f2b9249e3
Instruction ID: 3ec6fd6ab04ac2418df3f7f3e43742895a6612a15263ad2d56bd06b561a09961
Opcode Fuzzy Hash: c03db005c956915a1789228e2014dfe98837a0bb6959938c08f5218f2b9249e3
Instruction Fuzzy Hash: F801A272211A46BFE311BF79CE84E63F7ACFF55664B000229F60883A61CB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 013714FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E013714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x13ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E012FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E012D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x013714fb
0x013714fb
0x0137150a
0x01371514
0x01371519
0x0137151b
0x01371526
0x0137152c
0x01371534
0x01371537
0x0137153a
0x01371545
0x01371557
0x01371547
0x01371550
0x01371550
0x01371562
0x01371563
0x01371565
0x0137156a
0x0137157f

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feed2a71ef8c7f2e70f482a2a95265b23c0dd8e3b1238bb4674f9085d48d4dab
Instruction ID: 695479c22330803bf191cdcda7ceb8910a77629b5456201cb375fd7b3668583d
Opcode Fuzzy Hash: feed2a71ef8c7f2e70f482a2a95265b23c0dd8e3b1238bb4674f9085d48d4dab
Instruction Fuzzy Hash: 63019271A10248EFCB14DFA9D841EAEBBB8EF44710F40406AF904EB380D674DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0137138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0137138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x13ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E012FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E012D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0137138a
0x0137138a
0x01371399
0x013713a3
0x013713a8
0x013713aa
0x013713b5
0x013713bb
0x013713c3
0x013713c6
0x013713c9
0x013713d4
0x013713e6
0x013713d6
0x013713df
0x013713df
0x013713f1
0x013713f2
0x013713f4
0x013713f9
0x0137140e

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba06ece996ce299b5aaed868da92e09bef8f364176e290328225e2c29d04251
Instruction ID: ee0539d67632eab08fe29e8ef9c931dc99ea55bb3a45dc2e3453171c448a81d9
Opcode Fuzzy Hash: eba06ece996ce299b5aaed868da92e09bef8f364176e290328225e2c29d04251
Instruction Fuzzy Hash: 5E015E71A10219AFDB14EFA9D941FAEBBB8EF44710F40406AB904EB380DA749A55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012B58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012B58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x13ad360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1295c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E012B5943() != 0 &&  *0x13a5320 > 5) {
					E01337B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01337B5E( &_v28, _t28);
					_t11 = E01337B9C(0x13a5320, 0x129bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E012FB640(_t11, _t17, _v8 ^ _t29, 0x129bf15, _t27, _t28);
			}

0x012b58fb
0x012b58fe
0x012b5906
0x012b590a
0x012b593c
0x012b593c
0x012b590c
0x012b590c
0x012b5911
0x00000000
0x012b5913
0x012b5913
0x012b5913
0x012b5911
0x012b591d
0x01311035
0x0131103c
0x0131103f
0x01311056
0x01311056
0x012b593b

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bb430a844c575a56f74ba64e706c9025250592b5acd13dedae4feee8b28b4b
Instruction ID: 5a9e4d4ecfa5c0bdb5ec823b9e2aae735056d222ee0068b74fb8fee8eeff62b5
Opcode Fuzzy Hash: f3bb430a844c575a56f74ba64e706c9025250592b5acd13dedae4feee8b28b4b
Instruction Fuzzy Hash: 3B01F771B205059BC718DB2CD8419FE77BCEF812B0F8400699A059B284DE30DD01C794

Uniqueness

Uniqueness Score: -1.00%

Function 012CB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E012D7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01337016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x012cb037
0x012cb039
0x012cb03b
0x012cb040
0x0131a60e
0x00000000
0x00000000
0x0131a61d
0x012cb04b
0x012cb04e
0x0131a627
0x0131a634
0x00000000
0x00000000
0x0131a641
0x0131a653
0x0131a643
0x0131a64c
0x0131a64c
0x0131a65b
0x00000000
0x00000000
0x00000000
0x0131a66c
0x012cb057
0x012cb057
0x012cb057
0x012cb046
0x012cb046
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 589c421ea10a8ceff7954d4c6e7a1913f74a786c488e4765757c768822fcc4bf
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: BE01DF322219C09FE326871CC988F767BDCEB85B94F0904A5FB19CBA51D768DC40C624

Uniqueness

Uniqueness Score: -1.00%

Function 01381074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01381074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0138165E(__ebx, 0x13a8ae4, (__edx -  *0x13a8b04 >> 0x14) + (__edx -  *0x13a8b04 >> 0x14), __edi, __ecx, (__edx -  *0x13a8b04 >> 0x14) + (__edx -  *0x13a8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0137AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E012D7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0136FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01381074
0x01381080
0x01381082
0x0138108a
0x0138108f
0x01381093
0x013810ab
0x013810ab
0x013810c3
0x013810cf
0x013810e1
0x013810d1
0x013810da
0x013810da
0x013810e9
0x013810f5
0x013810f5
0x013810fe

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0df3d6446ff9f69ca09b357ab6a6c071646ead7e7f9ee1258c0786d87ceb2f
Instruction ID: ecdde858ca03dea4c0920aaa56727ece4dc09aee20d0c42aa08f1f0b05f502a3
Opcode Fuzzy Hash: fa0df3d6446ff9f69ca09b357ab6a6c071646ead7e7f9ee1258c0786d87ceb2f
Instruction Fuzzy Hash: 910147B26047429FC720EF2CCC00B1A7BE9BB84318F04C629F98593694EE34D846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0136FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0136FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x13ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E012FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E012D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0136fe3f
0x0136fe3f
0x0136fe4e
0x0136fe58
0x0136fe5d
0x0136fe5f
0x0136fe6a
0x0136fe72
0x0136fe75
0x0136fe78
0x0136fe83
0x0136fe95
0x0136fe85
0x0136fe8e
0x0136fe8e
0x0136fea0
0x0136fea1
0x0136fea3
0x0136fea8
0x0136febd

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4991ba27f56c4337ea291217071e916d6898a63b176d3349c912167c2acf865f
Instruction ID: 85aa4a2db54297aef650dbb92fb6606845b29662ccbfe780e729c895ac5d8384
Opcode Fuzzy Hash: 4991ba27f56c4337ea291217071e916d6898a63b176d3349c912167c2acf865f
Instruction Fuzzy Hash: F7018471E10209AFDB14DFA9D845FBEBBBCEF44704F00406AFA04AB381DA749911CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0136FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0136FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x13ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E012FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E012D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0136fec0
0x0136fec0
0x0136fecf
0x0136fed9
0x0136fede
0x0136fee0
0x0136feeb
0x0136fef3
0x0136fef6
0x0136fef9
0x0136ff04
0x0136ff16
0x0136ff06
0x0136ff0f
0x0136ff0f
0x0136ff21
0x0136ff22
0x0136ff24
0x0136ff29
0x0136ff3e

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff0f8ef8da1249745685042e0aac5b6212c841d8196da87b8a4151210df4011
Instruction ID: 8efb9f044bcfa3cf7994b265cf75fdabeefa4065bc4cd71d3ebad56b5abb99c6
Opcode Fuzzy Hash: 1ff0f8ef8da1249745685042e0aac5b6212c841d8196da87b8a4151210df4011
Instruction Fuzzy Hash: 7C018871A10209AFDB14EBA9D845FBFBBBCEF45704F40406ABA009B380DA749915C794

Uniqueness

Uniqueness Score: -1.00%

Function 01388A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01388A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x13ad360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E012D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E012FB640(E012F9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01388a62
0x01388a71
0x01388a79
0x01388a82
0x01388a85
0x01388a89
0x01388a8c
0x01388a8f
0x01388a92
0x01388a95
0x01388a9f
0x01388ab1
0x01388aa1
0x01388aaa
0x01388aaa
0x01388abc
0x01388abd
0x01388abf
0x01388ac4
0x01388ada

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c90c86c40e173c36e1f2c7b3b608336cf7353e2ee0e761c85dca8823e7cfc9
Instruction ID: a2403262034a364873a7ffd4dbe619efc54f39769dd7c1a86cfc15477e8029a8
Opcode Fuzzy Hash: 37c90c86c40e173c36e1f2c7b3b608336cf7353e2ee0e761c85dca8823e7cfc9
Instruction Fuzzy Hash: 35012C71A1021DAFDB00EFA9D9419AEFBB8EF58314F50406AFA04E7381D634A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01388ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01388ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x13ad360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E012D7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01388ed6
0x01388ee5
0x01388eed
0x01388ef0
0x01388efa
0x01388f03
0x01388f0c
0x01388f15
0x01388f24
0x01388f27
0x01388f31
0x01388f43
0x01388f33
0x01388f3c
0x01388f3c
0x01388f4e
0x01388f4f
0x01388f51
0x01388f56
0x01388f69

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44af17e194ca04c60af0b388714c36ae4c8668ade9d4223978664cbc07a12c2c
Instruction ID: bee955a8fcaf42a429723f77b0ac5927d269907a5c6a28734b7403084974fb80
Opcode Fuzzy Hash: 44af17e194ca04c60af0b388714c36ae4c8668ade9d4223978664cbc07a12c2c
Instruction Fuzzy Hash: 3F111E70A1420A9FDB04DFA9D541BAEFBF4FF08304F4442BAE518EB781E6349A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E012BDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E012BE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L012BE8B0(__ecx, _t14, 0xfff);
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x012bdb64
0x012bdb66
0x012bdb6b
0x012bdbaa
0x012bdb71
0x012bdb76
0x012bdb7a
0x012bdba3
0x012bdb7c
0x012bdb87
0x012bdb8b
0x01314fa1
0x01314fb3
0x01314fb8
0x012bdb91
0x012bdb96
0x012bdb98
0x012bdb98
0x012bdb8b
0x012bdb7a
0x012bdb9d
0x012bdba2

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 30b5fdf39a2113b549706693950e27fdaf14febe1f02fa151d471e4169888ba6
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 4FF0FC332215279BD7325AD988C0FE7B6958FD1BE4F160035F3059B344DE648C0296D4

Uniqueness

Uniqueness Score: -1.00%

Function 012BB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E012D7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E012D7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01337016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x012bb1e8
0x012bb1ea
0x012bb1f3
0x01314a17
0x012bb1f9
0x012bb1f9
0x012bb1f9
0x012bb201
0x01314a21
0x01314a2e
0x00000000
0x00000000
0x01314a3b
0x01314a4d
0x01314a3d
0x01314a46
0x01314a46
0x01314a55
0x00000000
0x00000000
0x00000000
0x012bb20a
0x012bb20a
0x012bb20a
0x012bb20a

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 670d05cc9838d5154ba4acbc838123adaa2463346fe1cf49c60212d7deaace1f
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 1801F4336206809BE326975DC844FA9BB98EF92798F0900A1FA148B6B6D778C800C314

Uniqueness

Uniqueness Score: -1.00%

Function 0134FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0134FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x13ad360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E012D7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0134fe96
0x0134fe9e
0x0134fea1
0x0134fead
0x0134feb3
0x0134feb9
0x0134fec3
0x0134fed5
0x0134fec5
0x0134fece
0x0134fece
0x0134fee0
0x0134fee1
0x0134fee3
0x0134fee8
0x0134fefb

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932fe3e00dfac9d289a058ac2d061cdd768883a4a2f90c8116ab618ba7003151
Instruction ID: 357dac289feeb2a735fd0dcbe029b72ef796722e39835a6c1066882621c4c8e2
Opcode Fuzzy Hash: 932fe3e00dfac9d289a058ac2d061cdd768883a4a2f90c8116ab618ba7003151
Instruction Fuzzy Hash: D4018670A0020DEFCB14DFA8D541A6EB7F8FF04704F544169B508DB382D635E901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0137131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0137131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x13ad360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E012D7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0137131b
0x0137132a
0x01371330
0x01371336
0x0137133e
0x01371341
0x01371344
0x0137134f
0x01371361
0x01371351
0x0137135a
0x0137135a
0x0137136c
0x0137136d
0x0137136f
0x01371374
0x01371387

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc9262fd317ee5993cc58783a913e6d63f441f5617fb00417e0fb487490ffbc
Instruction ID: c495ae4934ff5e647170f8916bb9ab40fdb63d1e5ae11e4010fd5173a14e3681
Opcode Fuzzy Hash: 8dc9262fd317ee5993cc58783a913e6d63f441f5617fb00417e0fb487490ffbc
Instruction Fuzzy Hash: EC014F71A1120DAFDB54EFA9D545AAEB7F8FF18700F404069F945EB381E634DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01388F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01388F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x13ad360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E012D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01388f6a
0x01388f79
0x01388f81
0x01388f84
0x01388f8b
0x01388f91
0x01388f94
0x01388f9e
0x01388fb0
0x01388fa0
0x01388fa9
0x01388fa9
0x01388fbb
0x01388fbc
0x01388fbe
0x01388fc3
0x01388fd6

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650a769b649be91606a5f202a36e669c37d200d7172785d66dd57ea2e59542c6
Instruction ID: a5b543efc31c4b74a1969423be4012d03aa3074ecff2ed2bc2fa6f06a00f990e
Opcode Fuzzy Hash: 650a769b649be91606a5f202a36e669c37d200d7172785d66dd57ea2e59542c6
Instruction Fuzzy Hash: 38014474A0020DAFDB00EFA8D545AAEB7F4EF18304F504069B905EB380DA34DA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012DC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012DC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E012DC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x12911cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E013888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x012dc577
0x012dc57d
0x012dc581
0x012dc5b5
0x012dc5b9
0x012dc5ce
0x012dc5ce
0x012dc5ca
0x00000000
0x012dc5ca
0x012dc5c4
0x012dc5c8
0x00000000
0x00000000
0x00000000
0x012dc5ad
0x00000000
0x012dc5af

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc77ed6bc5cfb70d320d5325aa9106ca4a0e8ee50a545a5ade5a9c948bda2a7e
Instruction ID: a5589e541c45e041bc40a3944ea070e25ab691d59aa81e6d8dfa700a966ab141
Opcode Fuzzy Hash: fc77ed6bc5cfb70d320d5325aa9106ca4a0e8ee50a545a5ade5a9c948bda2a7e
Instruction Fuzzy Hash: 6AF0E2F29357929FE736D72CE104B227FE99B15670FD484AFD617A7202C7A4D8A0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01388D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01388D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x13ad360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E012D7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01388d34
0x01388d43
0x01388d4b
0x01388d4e
0x01388d52
0x01388d5c
0x01388d6e
0x01388d5e
0x01388d67
0x01388d67
0x01388d79
0x01388d7a
0x01388d7c
0x01388d81
0x01388d94

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26c7d4dab2dee8a35a91fb22bad40b3417a84a14eabff530f0769cb5ee79ef7
Instruction ID: 4cb39df0c2a2c895a6ca94fd40233c592789c51f834497ed0c0cb43743b3cd99
Opcode Fuzzy Hash: b26c7d4dab2dee8a35a91fb22bad40b3417a84a14eabff530f0769cb5ee79ef7
Instruction Fuzzy Hash: 2CF09070A146099FDB14EFA8D541A6EB7B8AB14304F5080A9E905AB280DA34D9048B54

Uniqueness

Uniqueness Score: -1.00%

Function 01372073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01372073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0136FD22(__ecx);
				_t19 =  *0x13a849c - _t3; // 0x7bb7f636
				if(_t19 == 0) {
					__eflags = _t17 -  *0x13a8748; // 0x0
					if(__eflags <= 0) {
						E01371C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x13a8724 & 0x00000004;
							if(( *0x13a8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x13a8724; // 0x0
					return E01368DF1(__ebx, 0xc0000374, 0x13a5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01372076
0x01372078
0x0137207d
0x01372083
0x013720a4
0x013720aa
0x013720ac
0x013720b7
0x013720ba
0x013720bc
0x013720c9
0x013720c9
0x013720d0
0x013720d2
0x00000000
0x013720d2
0x013720be
0x013720c3
0x013720c5
0x013720c7
0x00000000
0x00000000
0x013720c7
0x013720bc
0x013720d4
0x01372085
0x01372085
0x013720a3
0x013720a3

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09f6cdf86c8c5ec1f1226460663740151c573fc9c33cfe50efe2baec11ed716
Instruction ID: 6098e656cdbef1fc1caf27f6b9c02bd9132b6d477f7932c53944d493a823529c
Opcode Fuzzy Hash: e09f6cdf86c8c5ec1f1226460663740151c573fc9c33cfe50efe2baec11ed716
Instruction Fuzzy Hash: 8EF0552B4251954ADF376B2C38103E33FDEE76521CF8A00C5D4A027209C53D8893CB30

Uniqueness

Uniqueness Score: -1.00%

Function 012F927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E012F927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E012FFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E012F92C6(_t11, _t14);
				}
				return _t11;
			}

0x012f9295
0x012f9299
0x012f929f
0x012f92aa
0x012f92ad
0x012f92ae
0x012f92af
0x012f92b0
0x012f92b4
0x012f92bb
0x012f92bb
0x012f92c5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: e0814e3a87c20027917e862ff81a47571f578705dad300b0702f2bcbeeee80e2
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 08E0E5322505416BEB119F09CC80B137659AF92724F00407CBA001E242C6E5D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 012D746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012D746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E012CEB70(__ecx, 0x13a79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E012F95D0();
							L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x012d746d
0x012d746d
0x012d746d
0x012d7471
0x012d7488
0x0131f92d
0x012d748e
0x012d7491
0x012d7495
0x0131f937
0x0131f93a
0x0131f94e
0x0131f953
0x0131f956
0x0131f956
0x012d7495
0x00000000
0x012d7488
0x012d7473
0x012d7478
0x012d747d
0x012d7481
0x00000000
0x012d7481
0x012d747d
0x012d747a
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd932f3bb4999933d32564b3cdf309ee0f1ad76054260c5998d36d4b45ec67c
Instruction ID: cb0dbb70e15c13b18f7b95003e14083b3018dfa57739eb6ea2f712006d011641
Opcode Fuzzy Hash: 1fd932f3bb4999933d32564b3cdf309ee0f1ad76054260c5998d36d4b45ec67c
Instruction Fuzzy Hash: 8DF05230930146AADF03AB7CC840B79BFB2EF0421CF54021AEA51AB161E77CC800CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 01388CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01388CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x13ad360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E012D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01388ce5
0x01388ced
0x01388cf0
0x01388cfb
0x01388d0d
0x01388cfd
0x01388d06
0x01388d06
0x01388d18
0x01388d19
0x01388d1b
0x01388d20
0x01388d33

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8752f7c95124dccc3c09d3fbccd5f6178148fcd1ae1e8cc73fa3894c38dddd56
Instruction ID: e4b8e805fcc2e7885f21bf2028f6b9c558b2535351677c91a0abf2abff91cf5e
Opcode Fuzzy Hash: 8752f7c95124dccc3c09d3fbccd5f6178148fcd1ae1e8cc73fa3894c38dddd56
Instruction Fuzzy Hash: 58F08270A14209AFDB04EFA9D945E6EB7B8EF19304F5001A9F915EB2C1EA34D904C754

Uniqueness

Uniqueness Score: -1.00%

Function 012B4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E013888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E012DC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1291030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x012b4f2e
0x012b4f34
0x012b4f38
0x01310b85
0x01310b85
0x01310b89
0x01310b9a
0x01310b9a
0x01310b9f
0x00000000
0x01310b9f
0x01310b94
0x01310b98
0x00000000
0x00000000
0x00000000
0x01310b98
0x012b4f3e
0x012b4f48
0x00000000
0x012b4f6e
0x00000000
0x012b4f70

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74a4c60e9bdd7b138604fb4b127e405df783901c8af821771499149a81c2c71
Instruction ID: a460e5cce7d7c73f279cc42cba5f9cf212078c4689a25d27f6d4cfef4dc18473
Opcode Fuzzy Hash: c74a4c60e9bdd7b138604fb4b127e405df783901c8af821771499149a81c2c71
Instruction Fuzzy Hash: 85F0E2725356858FD77ADF1CC1C4B22BBD4BB007BCF448466E4068792AC764ECC0C640

Uniqueness

Uniqueness Score: -1.00%

Function 01388B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01388B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x13ad360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E012D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E012FB640(E012F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01388b67
0x01388b6f
0x01388b72
0x01388b7d
0x01388b8f
0x01388b7f
0x01388b88
0x01388b88
0x01388b9a
0x01388b9b
0x01388b9d
0x01388ba2
0x01388bb5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ab90907e944b738de7e37ba0ffb9c2f1c9def11f2d48b63d5a7f1004b15603
Instruction ID: fd59e53080703abd67b4c0bc56bc0d5856d5f7401bc5ba2610f2f2420b72187b
Opcode Fuzzy Hash: c9ab90907e944b738de7e37ba0ffb9c2f1c9def11f2d48b63d5a7f1004b15603
Instruction Fuzzy Hash: 73F082B0A14259AFDB10EBA8D906E7EB7B8EF44304F4404A9BA05DB3C0EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 012EA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012EA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x13a7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E012FFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x012ea44b
0x012ea453
0x012ea472
0x012ea476
0x00000000
0x012ea493
0x012ea47a
0x012ea47f
0x012ea486
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af326609bffe6adc65ec9cde5e90867120389ae115dbd0f296248a092377d6c
Instruction ID: 8f41f1abc6f1ffe41e342dd2ece8f37d76bdfd601ade7c2b211091f9404e5bb2
Opcode Fuzzy Hash: 6af326609bffe6adc65ec9cde5e90867120389ae115dbd0f296248a092377d6c
Instruction Fuzzy Hash: 78E09273A21422ABD3225B18EC40F66B39DEBE4651F0A4039EA05C7214D668DD11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 012BF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E012BF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E012EF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L012D4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x012bf35d
0x012bf361
0x012bf367
0x012bf372
0x012bf38c
0x012bf38c
0x012bf394

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: c259e459093d47ce8dc9779da2813219b4eba1da36440fb3db3730416f3cd3d6
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 0CE0DF32A51158FBDB21ABD99E05FAABFACDB58BA0F004195BA08D7150D571AE00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 012CFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x12911a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E013888F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E012D0050(_t14);
				}
			}

0x012cff66
0x012cff6b
0x00000000
0x012cff8f
0x00000000
0x012cff8f

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e9ceeb23502f7835396d1f9110232ebfd11557143bda3543abc55a85a39fcf
Instruction ID: 306718d012ac2b13180aabd728d27b3496d852d8e94aa7fff8722f37765dd935
Opcode Fuzzy Hash: 69e9ceeb23502f7835396d1f9110232ebfd11557143bda3543abc55a85a39fcf
Instruction Fuzzy Hash: 46E0D8B01352079FD735D759D240F293B99DB51B21F19825DEB0847182C621D940C299

Uniqueness

Uniqueness Score: -1.00%

Function 013441E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E013441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x13908f0);
				_t5 = E0130D08C(__ebx, __edi, __esi);
				if( *0x13a87ec == 0) {
					E012CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x13a87ec == 0) {
						 *0x13a87f0 = 0x13a87ec;
						 *0x13a87ec = 0x13a87ec;
						 *0x13a87e8 = 0x13a87e4;
						 *0x13a87e4 = 0x13a87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01344248();
				}
				return E0130D0D1(_t5);
			}

0x013441e8
0x013441ea
0x013441ef
0x013441fb
0x01344206
0x0134420b
0x01344216
0x0134421d
0x01344222
0x0134422c
0x01344231
0x01344231
0x01344236
0x0134423d
0x0134423d
0x01344247

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b920b478eab5b254cb4b71d9eb157c20acc6cac16b22eed218440ca2bdb339
Instruction ID: a06f5d02c3580a2087f8d6da977ba6790194a5ff26780ca6ee4338e275a4c01c
Opcode Fuzzy Hash: b3b920b478eab5b254cb4b71d9eb157c20acc6cac16b22eed218440ca2bdb339
Instruction Fuzzy Hash: 87F03278920701CFCBB1EFA9E5007183EF8FB5432AF8041AAD10487288D73649A4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0136D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0136D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L012BE8B0(__ecx, _a4, 0xfff);
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0136d38a
0x0136d39b
0x0136d3b1
0x00000000
0x0136d3b6
0x00000000

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 4ce35d37afe538e5fc0906f354780903516ab2ba80ec06b47750213d7bf9ab20
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: C3E0C231380609BBEB225E84CC00FB9BB2ADB607A4F218031FE495AAA0C6759C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 012EA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012EA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x13a67e4 >= 0xa) {
					if(_t5 < 0x13a6800 || _t5 >= 0x13a6900) {
						return L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E012D0010(0x13a67e0, _t5);
				}
			}

0x012ea190
0x012ea1a6
0x012ea1c2
0x00000000
0x00000000
0x00000000
0x012ea192
0x012ea192
0x012ea19f
0x012ea19f

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb17421d72dfd52d687f0e0a46756858b4bfb7dade4fbe15d59e21b62769aed
Instruction ID: 6d703cc05352d1fa272a7a76624f8b8d9afd4097c72c609b474a521ff33a60bc
Opcode Fuzzy Hash: adb17421d72dfd52d687f0e0a46756858b4bfb7dade4fbe15d59e21b62769aed
Instruction Fuzzy Hash: E8D02BE11310005AC62D1300C819B393A5EF790754FFE480CF2034F5E0E950CCD88109

Uniqueness

Uniqueness Score: -1.00%

Function 012E16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E012E1710(0x13a67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L012D4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x012e16e8
0x012e16ef
0x012e16f3
0x012e16fe
0x00000000
0x012e1700
0x012e170d
0x012e170d
0x012e16f2
0x012e16f2
0x012e16f2
0x012e16f2

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4c303fb45b3a38d008a4cecd2e8a29821a4952a548ee3d4854ae3888a64061
Instruction ID: 751d3276e1d32eb4245751fe79939934d132b8d8ecd1f1c4795c65f34edf72fd
Opcode Fuzzy Hash: 2a4c303fb45b3a38d008a4cecd2e8a29821a4952a548ee3d4854ae3888a64061
Instruction Fuzzy Hash: 59D0A7712601429AEA2D5F159848B282691EB94B85F78007CF307498D0CFB1CCB2E458

Uniqueness

Uniqueness Score: -1.00%

Function 013353CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013353CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E012CEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x013353ca
0x013353ce
0x013353d9
0x013353de
0x013353e1
0x013353e1
0x013353e6
0x013353f3
0x00000000
0x013353f8
0x013353fb

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 455940eda0f1d0c71b88ca46889c144742a280badef494cca6e93ed069f430b3
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: CEE08C329506809BDF12DB48C650F6EBBF5FB84B00F150408A1085B660C634AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 012E35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E012CEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x012e35a1
0x012e35a1
0x012e35a5
0x012e35ab
0x012e35ab
0x012e35b5
0x00000000
0x012e35c1
0x012e35b7

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 0b4e64d111e79c0b134b88a5bad5268c1ed2408544b04c215e58049db6246d08
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 18D0A77143118299DB01EB14E13C7F83BF1BB04306FD81059820107652C3364909C600

Uniqueness

Uniqueness Score: -1.00%

Function 012CAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x012caab6
0x012caabb
0x0131a442
0x00000000
0x0131a448
0x0131a454
0x0131a454
0x012caac1
0x012caac1
0x012caac6
0x012caac6

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 2693c6d284e3feb5429993c400e93c603ddd0fa7a356993ac809daf8b594144d
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 2ED0C935352D80CFD61BCB0CC554B0533B4BB04B44FC50490E600CB722E62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0133A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0133A537(intOrPtr _a4, intOrPtr _a8) {

				return L012D8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0133a553

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 9d4737adf7931a44593a28ac62b43aa2fc2d7941c65618723113998b5a94055f
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 7CC08C33080248BBCB126F81CC00F267F2AFBA4B60F008010FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 012BDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L012D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x012bdb4d
0x012bdb54
0x012bdb5f
0x012bdb56
0x012bdb56
0x012bdb5c
0x012bdb5c

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 14872d9a7d0581886c4522628c49c56e6a39d7aeae3de9a20c83c9cde99ce902
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: FBC08C302A0A42AEEB222F20CD41B903AA0BB10B49F4400A06701DA4F0EB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 012BAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BAD30(intOrPtr _a4) {

				return L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x012bad49

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: e95ec28ba6dc52f701fa4febbdb3aa3773151fa93626b97fc213471ebb7cab46
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: D6C02B330C0248BBC7126F45CD00F11BF2DE7A0B60F010020F6040B6B1C936EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 012D3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D3A1C(intOrPtr _a4) {
				void* _t5;

				return L012D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x012d3a35

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: c511aeb9cf695ee12f7e0a35d6b65198a637bdf6486fa112451e5aaa0c75f855
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A8C08C32080288BBC7126E41DC00F117B29E7A0B60F004020BA040A9608532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 012C76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L012D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x012c76e4
0x00000000
0x012c76f8
0x012c76fd

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 4aba94f941d00419a52922ebaf3af1be7039266ed51c700ab66a0df581ddf5e1
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 10C08C701611825EFB2A570CCE22B303A50AB08B08FA8029CAB01094E2C36EA802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 012E36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L012D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x012e36d2
0x012e36e8
0x012e36d4
0x012e36e5
0x012e36e5

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d7dcc395656a87905632e13172e0a077dd46c10437d5ca970998b221aaffeddf
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 3FC02B70170480FFD7156F30CD40F2472D4F700A22FA403547321468F0D538DC00D504

Uniqueness

Uniqueness Score: -1.00%

Function 012D7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x012d7d56
0x012d7d5b
0x012d7d60
0x012d7d5d
0x012d7d5d
0x012d7d5d

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d5a78a619b9ae6ce3dc9635259c024e7f24d643528a056f50c8776f78e96786c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 22B092353119418FCE16DF18C080B1533E4BB45A44F8400D4E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 012E2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E2ACB() {
				void* _t5;

				return E012CEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x012e2adc

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 0bc71f997c0ed7d7d8b76afa5fef2da9ddc938d846f659b8439f6c01e692a8e9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 4FB01232C20441CFCF02EF40C610B397731FB00B50F064494910127930C228AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012F9520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab27f486943f39554c83114c22d84338f27f530a275c216e66b56aaf7e96d88
Instruction ID: cd981bad2efcb4019aa87ca931acd2df7b109763980fad15ca2a7752ec080205
Opcode Fuzzy Hash: cab27f486943f39554c83114c22d84338f27f530a275c216e66b56aaf7e96d88
Instruction Fuzzy Hash: 3D9002E5201140928901E2D98414B0A4585A7E0245B51C026E1044564CC5A58855A175

Uniqueness

Uniqueness Score: -1.00%

Function 012FAD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b2b2d38d1c6ebeb6c1a15134de1f15a9267783cdcddbdd0e9c8cd2ad6f00ec
Instruction ID: b447d35f804634e8f1056fc2eef642b9a4c201b255280bcaf0275725d3a627f6
Opcode Fuzzy Hash: 50b2b2d38d1c6ebeb6c1a15134de1f15a9267783cdcddbdd0e9c8cd2ad6f00ec
Instruction Fuzzy Hash: D7900275A0500012D541B1D948247464086B7E0785B55C021A0504558CC9D48A5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f765822798fab67b4ee6f83f8d3bcd4f599ae4502becac4ec993049838ede50
Instruction ID: 9466532bdd0d6f079b5841cdcbdbc40943a635ce868321514599ace13aa10edb
Opcode Fuzzy Hash: 3f765822798fab67b4ee6f83f8d3bcd4f599ae4502becac4ec993049838ede50
Instruction Fuzzy Hash: 62900269221000024546E5D9061460B04C5B7D6395391C025F1406594CC6A188696361

Uniqueness

Uniqueness Score: -1.00%

Function 012F9950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1523bb5d8cd79352ae3fe8f91e0e3ca77f44da0e61b37f306fd6740ec2ce2b23
Instruction ID: 987a4b285b209dd6c9fece63c4858978c33f3fc8be0167a20eb3684c846e5da1
Opcode Fuzzy Hash: 1523bb5d8cd79352ae3fe8f91e0e3ca77f44da0e61b37f306fd6740ec2ce2b23
Instruction Fuzzy Hash: AD9002A520140403D541A5D948147070085A7D0346F51C021A2054559ECAA98C557175

Uniqueness

Uniqueness Score: -1.00%

Function 012F95F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472e36485daa28b45f26d931124d2b233ae0d4b259a12362c753ba2363156acd
Instruction ID: 978528feebd96ef9190a5817b52fd1653294f557383dc4ae54e22b7cf7c850a6
Opcode Fuzzy Hash: 472e36485daa28b45f26d931124d2b233ae0d4b259a12362c753ba2363156acd
Instruction Fuzzy Hash: 1490027520100802D505A1D948147860085A7D0345F51C021A6014659ED6E588957171

Uniqueness

Uniqueness Score: -1.00%

Function 012F99D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c934a037c7ad160bb271d08e5f76b828cf08eaa463a773de1d60c08cf54fd888
Instruction ID: 1d5965413de36c29a4b9db4879a48539c6722331b7bfbbf748905584511a4f70
Opcode Fuzzy Hash: c934a037c7ad160bb271d08e5f76b828cf08eaa463a773de1d60c08cf54fd888
Instruction Fuzzy Hash: 929002A521100042D505A1D9441470600C5A7E1245F51C022A2144558CC5A98C656165

Uniqueness

Uniqueness Score: -1.00%

Function 012F9820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f66e5e924c7033f5a8c17c39f2d1f775405cca0c7aed3cc56c1815d9191eb7
Instruction ID: 5a0374f79309ef0362f0bf39b1c86a877515ea14d6c1d89928f66bfb37304ab8
Opcode Fuzzy Hash: d0f66e5e924c7033f5a8c17c39f2d1f775405cca0c7aed3cc56c1815d9191eb7
Instruction Fuzzy Hash: 2690027524100402D542B1D944147060089B7D0285F91C022A0414558EC6D58A5ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 012FB040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079eb1a21a7781e67e15a2135dc1c48974f7a962a42aba87015e3daf0bc44525
Instruction ID: 1a739faf4613a5a556ec15c3bc214964071e4ab8744ccbff3d3eda50bb94ccda
Opcode Fuzzy Hash: 079eb1a21a7781e67e15a2135dc1c48974f7a962a42aba87015e3daf0bc44525
Instruction Fuzzy Hash: EF9002A5601140438941F1D948145065095B7E1345391C131A0444564CC6E88859A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 012F98A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022296f07f611662c9702c8b10c810883ae32323dd730f015d06a14a0f7dd2c0
Instruction ID: 0e447693615b4bf6cc6a8e263f74fc8f5d90e1aec50bb804c5148b4d8828fe33
Opcode Fuzzy Hash: 022296f07f611662c9702c8b10c810883ae32323dd730f015d06a14a0f7dd2c0
Instruction Fuzzy Hash: 3A90026530100402D503A1D944247060089E7D1389F91C022E1414559DC6A58957B172

Uniqueness

Uniqueness Score: -1.00%

Function 012F9730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a5f2f9c0f788e8598f3584585a9ac9af6a7efa105ac7319daaffde4c65f912
Instruction ID: 1d899ff14d2118f4280325ae47419ffc463a87054136d2d473c53f8ba71e1318
Opcode Fuzzy Hash: 23a5f2f9c0f788e8598f3584585a9ac9af6a7efa105ac7319daaffde4c65f912
Instruction Fuzzy Hash: EA90026560500402D541B1D954287060095A7D0245F51D021A0014558DC6D98A5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1b2cfb42e438697baa2206782d60ba8e03f206782251017992eff0222318bb
Instruction ID: 5d2dbbeb3767e8bb82dc6ed5d9cbe27ed5b8ae20cbabbbe6e5d2d9fdaf1a322c
Opcode Fuzzy Hash: ba1b2cfb42e438697baa2206782d60ba8e03f206782251017992eff0222318bb
Instruction Fuzzy Hash: 0F90026524100802D541B1D984247070086E7D0645F51C021A0014558DC696896976F1

Uniqueness

Uniqueness Score: -1.00%

Function 012FA710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab94721afcca2ba73e19680923b989f33b594536419707cf8ae5d4f4ba6f17b5
Instruction ID: 111b73e3450de9c30a65dc11db9848b61df304c30560a8c712eb3cd6ff31c01e
Opcode Fuzzy Hash: ab94721afcca2ba73e19680923b989f33b594536419707cf8ae5d4f4ba6f17b5
Instruction Fuzzy Hash: EB90027530100052D901E6D95814B4A4185A7F0345B51D025A4004558CC5D488656161

Uniqueness

Uniqueness Score: -1.00%

Function 012F9760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee0bf55dc0d97138b9d13a594337900eff5f847bfdbcaddc79a68bf8000f706
Instruction ID: c4d159f72cc6528d912e09dc5c961638188185dd135d95cdbbf4d61341d4cd40
Opcode Fuzzy Hash: cee0bf55dc0d97138b9d13a594337900eff5f847bfdbcaddc79a68bf8000f706
Instruction Fuzzy Hash: C390027520100403D501A1D955187070085A7D0245F51D421A041455CDD6D688557161

Uniqueness

Uniqueness Score: -1.00%

Function 012F9770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491f223840a7cbea0b358063ecbc8efbb3b4b83d8853d939da9ef32f74659c25
Instruction ID: af148214abd016a119103e3bad9e84690bcca47df2e55389970ca19a1d1fbe0b
Opcode Fuzzy Hash: 491f223840a7cbea0b358063ecbc8efbb3b4b83d8853d939da9ef32f74659c25
Instruction Fuzzy Hash: B690026520504442D501A5D95418B060085A7D0249F51D021A1054599DC6B58855B171

Uniqueness

Uniqueness Score: -1.00%

Function 012FA770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1945855c785da3ac06c3a46cc1a86747dd9a902e8fb79e870e0a1e35ddc6ba
Instruction ID: e5fa1a2a81484f8f2d02b5e20ba16258b2d7ac95ac990d8b47eb1d6105026ee0
Opcode Fuzzy Hash: aa1945855c785da3ac06c3a46cc1a86747dd9a902e8fb79e870e0a1e35ddc6ba
Instruction Fuzzy Hash: AD90027920504442D901A5D95814B870085A7D0349F51D421A041459CDC6D48865B161

Uniqueness

Uniqueness Score: -1.00%

Function 012FA3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d512bfcfaa19f766e570a4a44b1eaf6166d128b49c0f2a7efd37c5a432447b
Instruction ID: caca92483083f91a5d363fc5d5e12032b5d193e5300148251d06a1b14a33ab90
Opcode Fuzzy Hash: 74d512bfcfaa19f766e570a4a44b1eaf6166d128b49c0f2a7efd37c5a432447b
Instruction Fuzzy Hash: C490027520144002D541B1D9845470B5085B7E0345F51C421E0415558CC695885AA261

Uniqueness

Uniqueness Score: -1.00%

Function 012F9A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1369dc798db065aee7e9911a90c84e44305c8e51a4ae37625228e1053a2646f
Instruction ID: d23450830308a9dc6f1c0aa016d4de592eae5c4c59c725d624c4c2765e50b4b9
Opcode Fuzzy Hash: f1369dc798db065aee7e9911a90c84e44305c8e51a4ae37625228e1053a2646f
Instruction Fuzzy Hash: 1790027520140402D501A1D948187470085A7D0346F51C021A5154559EC6E5C8957571

Uniqueness

Uniqueness Score: -1.00%

Function 012F9610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1b0cdb9f4ca8fa9c07428dd3c2e8cd9da7566286ad6e24efc350ab0cc142d5
Instruction ID: c2ba2c9303d2edfbb89fee175b0c4280612f844a557e1cd0e423b6a24faee6e9
Opcode Fuzzy Hash: 8e1b0cdb9f4ca8fa9c07428dd3c2e8cd9da7566286ad6e24efc350ab0cc142d5
Instruction Fuzzy Hash: FA90027560500802D551B1D944247460085A7D0345F51C021A0014658DC7D58A5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea9911ba75eb0f3815ffbd80d11a4f472b86becb22f7fcb990823fbd581f69d
Instruction ID: ede60a1c9c9437827b35e0e0bca032ae0f23e8ba24b95ffade31cfe4b724e39b
Opcode Fuzzy Hash: 9ea9911ba75eb0f3815ffbd80d11a4f472b86becb22f7fcb990823fbd581f69d
Instruction Fuzzy Hash: FC90027520504842D541B1D94414B460095A7D0349F51C021A0054698DD6A58D59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 012F9A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5902f7e6a61af476ceff08e533c3affe5854670fa01496c2dbaf1d4335e797
Instruction ID: c81e0e16e041e283114117204aae2e1d9814eb670f816282f08d72e025cb4ddc
Opcode Fuzzy Hash: 1e5902f7e6a61af476ceff08e533c3affe5854670fa01496c2dbaf1d4335e797
Instruction Fuzzy Hash: 2190026520144442D541A2D94814B0F4185A7E1246F91C029A4146558CC99588596761

Uniqueness

Uniqueness Score: -1.00%

Function 012F96D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca53d870332a580cdb7e6a6eee4e5456210cf4a94aa02e0ac3decdd07c5119a
Instruction ID: 17c6c16ca8cbcc6cfa03958d59cc9ce05d046b55927c9e81401c98c3e9b4cd96
Opcode Fuzzy Hash: dca53d870332a580cdb7e6a6eee4e5456210cf4a94aa02e0ac3decdd07c5119a
Instruction Fuzzy Hash: 2590027520100842D501A1D94414B460085A7E0345F51C026A0114658DC695C8557561

Uniqueness

Uniqueness Score: -1.00%

Function 012F9670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8d81457e1e80bac416d0df438bdb0e7828432de40945c570d5b7257d30e23d02
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012E645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E012E645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13ad360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E012FFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E012D2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E012CFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x13ab1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E012FB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x012e645b
0x012e6463
0x012e646d
0x012e6475
0x012e647a
0x012e647e
0x012e6480
0x012e648c
0x012e6490
0x012e6495
0x012e6498
0x012e649b
0x012e649f
0x012e64a1
0x01327c07
0x01327c09
0x01327c0c
0x00000000
0x012e64a7
0x012e64a7
0x012e64aa
0x01327bf7
0x01327c00
0x00000000
0x01327bf9
0x01327bf9
0x01327bf9
0x012e64b0
0x012e64b0
0x012e64b2
0x012e64b2
0x012e64b3
0x012e64ba
0x012e6553
0x012e655e
0x012e6566
0x012e656c
0x012e6575
0x012e657f
0x012e6585
0x012e6588
0x012e6588
0x012e64c7
0x012e64cb
0x012e64ce
0x012e64d3
0x012e64da
0x012e64e5
0x012e64ed
0x012e64f1
0x012e64f5
0x012e64f6
0x012e64fa
0x012e6502
0x012e6503
0x012e6504
0x012e6507
0x012e651a
0x012e6524
0x012e6524
0x012e6526
0x012e6526
0x012e64aa
0x012e652c
0x012e652d
0x012e652e
0x012e6539

APIs

RtlDebugPrintTimes.NTDLL ref: 012E651A

Strings

0, xrefs: 012E64E5
0, xrefs: 012E64FA

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 2655e55572d176609e5c679d297a026b2f0bd07ca4edeb3934c7d1722504a0a9
Instruction ID: e8069bf81f3fe52eb1250687624e65a8c6dbcdd30b25bbe991fd1381c13c8b94
Opcode Fuzzy Hash: 2655e55572d176609e5c679d297a026b2f0bd07ca4edeb3934c7d1722504a0a9
Instruction Fuzzy Hash: 82418BB16147029FD311CF28C444A6ABBE5FB98718F04462EF588DB301D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0134FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0134FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E012FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01345720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01345720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0134fdda
0x0134fde2
0x0134fde5
0x0134fdec
0x0134fdfa
0x0134fdff
0x0134fe0a
0x0134fe0f
0x0134fe17
0x0134fe1e
0x0134fe19
0x0134fe19
0x0134fe19
0x0134fe20
0x0134fe21
0x0134fe22
0x0134fe25
0x0134fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0134FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0134FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0134FE2B

Memory Dump Source

Source File: 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000006.00000002.634639103.00000000013AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_SWIFT Transfer (103) __037RTG2050822156____Pdf__.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 7ec7409c78c40be265b4a02bcc0eaeca6fdc7a8566df9b2cc8aa56753afad0da
Instruction ID: edb64d0c1f621f438a09706caf61a3825b122ae12b420b026aa9e09af3e596ac
Opcode Fuzzy Hash: 7ec7409c78c40be265b4a02bcc0eaeca6fdc7a8566df9b2cc8aa56753afad0da
Instruction Fuzzy Hash: 3FF0F632640201BFE6201A49DC02F23BF9EEB44B30F150318F628565D1EA62F87087F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SWIFT Transfer (103) 037RTG2050822156Pdf.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) 037RTG2050822156Pdf.exe.log

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5860, Parent PID: 5696

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5032, Parent PID: 5860

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5860, Parent PID: 5696COMMON

Function 01803DC4 Relevance: 10.7, Strings: 8, Instructions: 668
COMMON

Function 01808458 Relevance: 10.7, Strings: 8, Instructions: 665
COMMON

Function 0180550C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 01803F84 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0180BEE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0180BB58 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0180BF50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Analysis Process: SWIFT Transfer (103) 037RTG2050822156Pdf.exePID: 5032, Parent PID: 5860COMMON

Function 012F9910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 012F9540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 012F99A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 012F95D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 012F9860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 012F9840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 012F98F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 012F9710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 012F97A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 012F9780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE